CVE-2025-21858
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
12/03/2025
Last modified:
13/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
geneve: Fix use-after-free in geneve_find_dev().<br />
<br />
syzkaller reported a use-after-free in geneve_find_dev() [0]<br />
without repro.<br />
<br />
geneve_configure() links struct geneve_dev.next to<br />
net_generic(net, geneve_net_id)->geneve_list.<br />
<br />
The net here could differ from dev_net(dev) if IFLA_NET_NS_PID,<br />
IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.<br />
<br />
When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally<br />
calls unregister_netdevice_queue() for each dev in the netns,<br />
and later the dev is freed.<br />
<br />
However, its geneve_dev.next is still linked to the backend UDP<br />
socket netns.<br />
<br />
Then, use-after-free will occur when another geneve dev is created<br />
in the netns.<br />
<br />
Let&#39;s call geneve_dellink() instead in geneve_destroy_tunnels().<br />
<br />
[0]:<br />
BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]<br />
BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343<br />
Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441<br />
<br />
CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d<br />
Hardware name: linux,dummy-virt (DT)<br />
Call trace:<br />
show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)<br />
__dump_stack lib/dump_stack.c:94 [inline]<br />
dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120<br />
print_address_description mm/kasan/report.c:378 [inline]<br />
print_report+0x16c/0x6f0 mm/kasan/report.c:489<br />
kasan_report+0xc0/0x120 mm/kasan/report.c:602<br />
__asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379<br />
geneve_find_dev drivers/net/geneve.c:1295 [inline]<br />
geneve_configure+0x234/0x858 drivers/net/geneve.c:1343<br />
geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634<br />
rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795<br />
__rtnl_newlink net/core/rtnetlink.c:3906 [inline]<br />
rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021<br />
rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911<br />
netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543<br />
rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]<br />
netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348<br />
netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892<br />
sock_sendmsg_nosec net/socket.c:713 [inline]<br />
__sock_sendmsg net/socket.c:728 [inline]<br />
____sys_sendmsg+0x410/0x6f8 net/socket.c:2568<br />
___sys_sendmsg+0x178/0x1d8 net/socket.c:2622<br />
__sys_sendmsg net/socket.c:2654 [inline]<br />
__do_sys_sendmsg net/socket.c:2659 [inline]<br />
__se_sys_sendmsg net/socket.c:2657 [inline]<br />
__arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657<br />
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br />
invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49<br />
el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132<br />
do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151<br />
el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744<br />
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762<br />
el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600<br />
<br />
Allocated by task 13247:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x30/0x68 mm/kasan/common.c:68<br />
kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568<br />
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br />
__kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394<br />
kasan_kmalloc include/linux/kasan.h:260 [inline]<br />
__do_kmalloc_node mm/slub.c:4298 [inline]<br />
__kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304<br />
__kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645<br />
alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470<br />
rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604<br />
rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780<br />
__rtnl_newlink net/core/rtnetlink.c:3906 [inline]<br />
rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021<br />
rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911<br />
netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543<br />
rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938<br />
netlink_unicast_kernel net/netlink/af_n<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.2 (including) | 6.1.130 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.80 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.17 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf
- https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c
- https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283
- https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78
- https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929
- https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886
- https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3
- https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316