CVE-2025-38464
published 2025-07-25CVE-2025-38464: In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
tipc: Fix use-after-free in tipc_conn_close().
syzbot reported a null-ptr-deref in tipc_conn_close() during netns
dismantle. [0]
tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls
tipc_conn_close() for each tipc_conn.
The problem is that tipc_conn_close() is called after releasing the
IDR lock.
At the same time, there might be tipc_conn_recv_work() running and it
could call tipc_conn_close() for the same tipc_conn and release its
last ->kref.
Once we release the IDR lock in tipc_topsrv_stop(), there is no
guarantee that the tipc_conn is alive.
Let's hold the ref before releasing the lock and put the ref after
tipc_conn_close() in tipc_topsrv_stop().
[0]:
BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435
CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]
tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722
ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 23:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc in
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f < 03dcdd2558e1e55bf843822fe4363dcb48743f2b | 03dcdd2558e1e55bf843822fe4363dcb48743f2b |
| linux | linux | >= c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f < 15a6f4971e2f157d57e09ea748d1fbc714277aa4 | 15a6f4971e2f157d57e09ea748d1fbc714277aa4 |
| linux | linux | >= c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f < dab8ded2e5ff41012a6ff400b44dbe76ccf3592a | dab8ded2e5ff41012a6ff400b44dbe76ccf3592a |
| linux | linux | >= c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f < 1dbf7cd2454a28b1da700085b99346b5445aeabb | 1dbf7cd2454a28b1da700085b99346b5445aeabb |
| linux | linux | >= c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f < be4b8392da7978294f2f368799d29dd509fb6c4d | be4b8392da7978294f2f368799d29dd509fb6c4d |
| linux | linux | >= c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f < 50aa2d121bc2cfe2d825f8a331ea75dfaaab6a50 | 50aa2d121bc2cfe2d825f8a331ea75dfaaab6a50 |
| linux | linux | >= c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f < 3b89e17b2fd64012682bed158d9eb3d2e96dec42 | 3b89e17b2fd64012682bed158d9eb3d2e96dec42 |
| linux | linux | >= c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f < 667eeab4999e981c96b447a4df5f20bdf5c26f13 | 667eeab4999e981c96b447a4df5f20bdf5c26f13 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.41-1 | 6.12.41-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-156.166 | 5.15.0-156.166 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 3.11 < 5.4.296 | 5.4.296 |
| linux | linux_kernel | >= 5.11 < 5.15.189 | 5.15.189 |
| linux | linux_kernel | >= 5.16 < 6.1.146 | 6.1.146 |
| linux | linux_kernel | >= 5.5 < 5.10.240 | 5.10.240 |
| linux | linux_kernel | >= 6.13 < 6.15.7 | 6.15.7 |
| linux | linux_kernel | >= 6.2 < 6.6.99 | 6.6.99 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH