CVE-2025-38666

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: appletalk: Fix use-after-free in AARP proxy probe<br /> <br /> The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe,<br /> releases the aarp_lock, sleeps, then re-acquires the lock. During that<br /> window an expire timer thread (__aarp_expire_timer) can remove and<br /> kfree() the same entry, leading to a use-after-free.<br /> <br /> race condition:<br /> <br /> cpu 0 | cpu 1<br /> atalk_sendmsg() | atif_proxy_probe_device()<br /> aarp_send_ddp() | aarp_proxy_probe_network()<br /> mod_timer() | lock(aarp_lock) // LOCK!!<br /> timeout around 200ms | alloc(aarp_entry)<br /> and then call | proxies[hash] = aarp_entry<br /> aarp_expire_timeout() | aarp_send_probe()<br /> | unlock(aarp_lock) // UNLOCK!!<br /> lock(aarp_lock) // LOCK!! | msleep(100);<br /> __aarp_expire_timer(&amp;proxies[ct]) |<br /> free(aarp_entry) |<br /> unlock(aarp_lock) // UNLOCK!! |<br /> | lock(aarp_lock) // LOCK!!<br /> | UAF aarp_entry !!<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493<br /> Read of size 4 at addr ffff8880123aa360 by task repro/13278<br /> <br /> CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:408 [inline]<br /> print_report+0xc1/0x630 mm/kasan/report.c:521<br /> kasan_report+0xca/0x100 mm/kasan/report.c:634<br /> aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493<br /> atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]<br /> atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857<br /> atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818<br /> sock_do_ioctl+0xdc/0x260 net/socket.c:1190<br /> sock_ioctl+0x239/0x6a0 net/socket.c:1311<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:906 [inline]<br /> __se_sys_ioctl fs/ioctl.c:892 [inline]<br /> __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> Allocated:<br /> aarp_alloc net/appletalk/aarp.c:382 [inline]<br /> aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468<br /> atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]<br /> atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857<br /> atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818<br /> <br /> Freed:<br /> kfree+0x148/0x4d0 mm/slub.c:4841<br /> __aarp_expire net/appletalk/aarp.c:90 [inline]<br /> __aarp_expire_timer net/appletalk/aarp.c:261 [inline]<br /> aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317<br /> <br /> The buggy address belongs to the object at ffff8880123aa300<br /> which belongs to the cache kmalloc-192 of size 192<br /> The buggy address is located 96 bytes inside of<br /> freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)<br /> <br /> Memory state around the buggy address:<br /> ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc<br /> &gt;ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc<br /> ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ==================================================================