CVE-2025-40271

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/proc: fix uaf in proc_readdir_de()<br /> <br /> Pde is erased from subdir rbtree through rb_erase(), but not set the node<br /> to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()<br /> set the erased node to EMPTY, then pde_subdir_next() will return NULL to<br /> avoid uaf access.<br /> <br /> We found an uaf issue while using stress-ng testing, need to run testcase<br /> getdent and tun in the same time. The steps of the issue is as follows:<br /> <br /> 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current<br /> pde is tun3;<br /> <br /> 2) in the [time windows] unregister netdevice tun3 and tun2, and erase<br /> them from rbtree. erase tun3 first, and then erase tun2. the<br /> pde(tun2) will be released to slab;<br /> <br /> 3) continue to getdent process, then pde_subdir_next() will return<br /> pde(tun2) which is released, it will case uaf access.<br /> <br /> CPU 0 | CPU 1<br /> -------------------------------------------------------------------------<br /> traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun-&gt;dev) //tun3 tun2<br /> sys_getdents64() |<br /> iterate_dir() |<br /> proc_readdir() |<br /> proc_readdir_de() | snmp6_unregister_dev()<br /> pde_get(de); | proc_remove()<br /> read_unlock(&amp;proc_subdir_lock); | remove_proc_subtree()<br /> | write_lock(&amp;proc_subdir_lock);<br /> [time window] | rb_erase(&amp;root-&gt;subdir_node, &amp;parent-&gt;subdir);<br /> | write_unlock(&amp;proc_subdir_lock);<br /> read_lock(&amp;proc_subdir_lock); |<br /> next = pde_subdir_next(de); |<br /> pde_put(de); |<br /> de = next; //UAF |<br /> <br /> rbtree of dev_snmp6<br /> |<br /> pde(tun3)<br /> / \<br /> NULL pde(tun2)