Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38475

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
28/07/2025
Last modified:
19/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smc: Fix various oops due to inet_sock type confusion.<br /> <br /> syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while<br /> freeing inet_sk(sk)-&gt;inet_opt.<br /> <br /> The address was freed multiple times even though it was read-only memory.<br /> <br /> cipso_v4_sock_setattr() did nothing wrong, and the root cause was type<br /> confusion.<br /> <br /> The cited commit made it possible to create smc_sock as an INET socket.<br /> <br /> The issue is that struct smc_sock does not have struct inet_sock as the<br /> first member but hijacks AF_INET and AF_INET6 sk_family, which confuses<br /> various places.<br /> <br /> In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),<br /> which is an address of a function in the text segment.<br /> <br /> $ pahole -C inet_sock vmlinux<br /> struct inet_sock {<br /> ...<br /> struct ip_options_rcu * inet_opt; /* 784 8 */<br /> <br /> $ pahole -C smc_sock vmlinux<br /> struct smc_sock {<br /> ...<br /> void (*clcsk_data_ready)(struct sock *); /* 784 8 */<br /> <br /> The same issue for another field was reported before. [2][3]<br /> <br /> At that time, an ugly hack was suggested [4], but it makes both INET<br /> and SMC code error-prone and hard to change.<br /> <br /> Also, yet another variant was fixed by a hacky commit 98d4435efcbf3<br /> ("net/smc: prevent NULL pointer dereference in txopt_get").<br /> <br /> Instead of papering over the root cause by such hacks, we should not<br /> allow non-INET socket to reuse the INET infra.<br /> <br /> Let&amp;#39;s add inet_sock as the first member of smc_sock.<br /> <br /> [0]:<br /> kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73<br /> WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT<br /> Tainted: [W]=WARN<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025<br /> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955<br /> lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955<br /> sp : ffff8000a03a7730<br /> x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3<br /> x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00<br /> x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0<br /> x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff<br /> x17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c<br /> x14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff<br /> x11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000<br /> x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001<br /> x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360<br /> x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000<br /> Call trace:<br /> kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P)<br /> cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914<br /> netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000<br /> smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581<br /> smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912<br /> security_inode_setsecurity+0x118/0x3c0 security/security.c:2706<br /> __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251<br /> __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295<br /> vfs_setxattr+0x158/0x2ac fs/xattr.c:321<br /> do_setxattr fs/xattr.c:636 [inline]<br /> file_setxattr+0x1b8/0x294 fs/xattr.c:646<br /> path_setxattrat+0x2ac/0x320 fs/xattr.c:711<br /> __do_sys_fsetxattr fs/xattr.c:761 [inline]<br /> __se_sys_fsetxattr fs/xattr.c:758 [inline]<br /> __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758<br /> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br /> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br /> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132<br /> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br /> el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879<br /> el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898<br /> el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600<br /> <br /> [<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11 (including) 6.12.40 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools