fkie_cve-2025-38378
Vulnerability from fkie_nvd
Published
2025-07-25 13:15
Modified
2025-07-25 15:29
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe In probe appletb_kbd_probe() a "struct appletb_kbd *kbd" is allocated via devm_kzalloc() to store touch bar keyboard related data. Later on if backlight_device_get_by_name() finds a backlight device with name "appletb_backlight" a timer (kbd->inactivity_timer) is setup with appletb_inactivity_timer() and the timer is armed to run after appletb_tb_dim_timeout (60) seconds. A use-after-free is triggered when failure occurs after the timer is armed. This ultimately means probe failure occurs and as a result the "struct appletb_kbd *kbd" which is device managed memory is freed. After 60 seconds the timer will have expired and __run_timers will attempt to access the timer (kbd->inactivity_timer) however the kdb structure has been freed causing a use-after free. [ 71.636938] ================================================================== [ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890 [ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0 [ 71.637915] [ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary) [ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 71.637915] Call Trace: [ 71.637915] <IRQ> [ 71.637915] dump_stack_lvl+0x53/0x70 [ 71.637915] print_report+0xce/0x670 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] kasan_report+0xce/0x100 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] __run_timers+0x7ad/0x890 [ 71.637915] ? __pfx___run_timers+0x10/0x10 [ 71.637915] ? update_process_times+0xfc/0x190 [ 71.637915] ? __pfx_update_process_times+0x10/0x10 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 71.637915] run_timer_softirq+0x141/0x240 [ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10 [ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 71.637915] ? kvm_clock_get_cycles+0x18/0x30 [ 71.637915] ? ktime_get+0x60/0x140 [ 71.637915] handle_softirqs+0x1b8/0x5c0 [ 71.637915] ? __pfx_handle_softirqs+0x10/0x10 [ 71.637915] irq_exit_rcu+0xaf/0xe0 [ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80 [ 71.637915] </IRQ> [ 71.637915] [ 71.637915] Allocated by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] __kasan_kmalloc+0x8f/0xa0 [ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420 [ 71.637915] devm_kmalloc+0x74/0x1e0 [ 71.637915] appletb_kbd_probe+0x37/0x3c0 [ 71.637915] hid_device_probe+0x2d1/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] [ 71.637915] [ 71.637915] Freed by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] kasan_save_free_info+0x3b/0x60 [ 71.637915] __kasan_slab_free+0x37/0x50 [ 71.637915] kfree+0xcf/0x360 [ 71.637915] devres_release_group+0x1f8/0x3c0 [ 71.637915] hid_device_probe+0x315/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] The root cause of the issue is that the timer is not disarmed on failure paths leading to it remaining active and accessing freed memory. To fix this call timer_delete_sync() to deactivate the timer. Another small issue is that timer_delete_sync is called unconditionally in appletb_kbd_remove(), fix this by checking for a valid kbd->backlight_dev before calling timer_delete_sync.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/38224c472a038fa9ccd4085511dd9f3d6119dbf9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/51720dee3a61ebace36c3dcdd0b4a488e0970f29
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\n\nIn probe appletb_kbd_probe() a \"struct appletb_kbd *kbd\" is allocated\nvia devm_kzalloc() to store touch bar keyboard related data.\nLater on if backlight_device_get_by_name() finds a backlight device\nwith name \"appletb_backlight\" a timer (kbd-\u003einactivity_timer) is setup\nwith appletb_inactivity_timer() and the timer is armed to run after\nappletb_tb_dim_timeout (60) seconds.\n\nA use-after-free is triggered when failure occurs after the timer is\narmed. This ultimately means probe failure occurs and as a result the\n\"struct appletb_kbd *kbd\" which is device managed memory is freed.\nAfter 60 seconds the timer will have expired and __run_timers will\nattempt to access the timer (kbd-\u003einactivity_timer) however the kdb\nstructure has been freed causing a use-after free.\n\n[   71.636938] ==================================================================\n[   71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890\n[   71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0\n[   71.637915]\n[   71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary)\n[   71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[   71.637915] Call Trace:\n[   71.637915]  \u003cIRQ\u003e\n[   71.637915]  dump_stack_lvl+0x53/0x70\n[   71.637915]  print_report+0xce/0x670\n[   71.637915]  ? __run_timers+0x7ad/0x890\n[   71.637915]  kasan_report+0xce/0x100\n[   71.637915]  ? __run_timers+0x7ad/0x890\n[   71.637915]  __run_timers+0x7ad/0x890\n[   71.637915]  ? __pfx___run_timers+0x10/0x10\n[   71.637915]  ? update_process_times+0xfc/0x190\n[   71.637915]  ? __pfx_update_process_times+0x10/0x10\n[   71.637915]  ? _raw_spin_lock_irq+0x80/0xe0\n[   71.637915]  ? _raw_spin_lock_irq+0x80/0xe0\n[   71.637915]  ? __pfx__raw_spin_lock_irq+0x10/0x10\n[   71.637915]  run_timer_softirq+0x141/0x240\n[   71.637915]  ? __pfx_run_timer_softirq+0x10/0x10\n[   71.637915]  ? __pfx___hrtimer_run_queues+0x10/0x10\n[   71.637915]  ? kvm_clock_get_cycles+0x18/0x30\n[   71.637915]  ? ktime_get+0x60/0x140\n[   71.637915]  handle_softirqs+0x1b8/0x5c0\n[   71.637915]  ? __pfx_handle_softirqs+0x10/0x10\n[   71.637915]  irq_exit_rcu+0xaf/0xe0\n[   71.637915]  sysvec_apic_timer_interrupt+0x6c/0x80\n[   71.637915]  \u003c/IRQ\u003e\n[   71.637915]\n[   71.637915] Allocated by task 39:\n[   71.637915]  kasan_save_stack+0x33/0x60\n[   71.637915]  kasan_save_track+0x14/0x30\n[   71.637915]  __kasan_kmalloc+0x8f/0xa0\n[   71.637915]  __kmalloc_node_track_caller_noprof+0x195/0x420\n[   71.637915]  devm_kmalloc+0x74/0x1e0\n[   71.637915]  appletb_kbd_probe+0x37/0x3c0\n[   71.637915]  hid_device_probe+0x2d1/0x680\n[   71.637915]  really_probe+0x1c3/0x690\n[   71.637915]  __driver_probe_device+0x247/0x300\n[   71.637915]  driver_probe_device+0x49/0x210\n[...]\n[   71.637915]\n[   71.637915] Freed by task 39:\n[   71.637915]  kasan_save_stack+0x33/0x60\n[   71.637915]  kasan_save_track+0x14/0x30\n[   71.637915]  kasan_save_free_info+0x3b/0x60\n[   71.637915]  __kasan_slab_free+0x37/0x50\n[   71.637915]  kfree+0xcf/0x360\n[   71.637915]  devres_release_group+0x1f8/0x3c0\n[   71.637915]  hid_device_probe+0x315/0x680\n[   71.637915]  really_probe+0x1c3/0x690\n[   71.637915]  __driver_probe_device+0x247/0x300\n[   71.637915]  driver_probe_device+0x49/0x210\n[...]\n\nThe root cause of the issue is that the timer is not disarmed\non failure paths leading to it remaining active and accessing\nfreed memory. To fix this call timer_delete_sync() to deactivate\nthe timer.\n\nAnother small issue is that timer_delete_sync is called\nunconditionally in appletb_kbd_remove(), fix this by checking\nfor a valid kbd-\u003ebacklight_dev before calling timer_delete_sync."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: appletb-kbd: correcci\u00f3n de use-after-free de slab en appletb_kbd_probe. En la sonda appletb_kbd_probe(), se asigna una estructura \"struct appletb_kbd *kbd\" mediante devm_kzalloc() para almacenar datos relacionados con el teclado de la barra t\u00e1ctil. Posteriormente, si backlight_device_get_by_name() encuentra un dispositivo de retroiluminaci\u00f3n con el nombre \"appletb_backlight\", se configura un temporizador (kbd-\u0026gt;inactivity_timer) con appletb_inactivity_timer() y se arma para que se ejecute despu\u00e9s de appletb_tb_dim_timeout (60) segundos. Se activa un uso tras liberaci\u00f3n cuando se produce un fallo despu\u00e9s de que el temporizador est\u00e9 armado. Esto, en \u00faltima instancia, significa que se produce un fallo en la sonda y, como resultado, se libera la estructura \"struct appletb_kbd *kbd\", que es la memoria administrada por el dispositivo. Despu\u00e9s de 60 segundos, el temporizador habr\u00e1 expirado y __run_timers intentar\u00e1 acceder al temporizador (kbd-\u0026gt;inactivity_timer); sin embargo, la estructura kdb se habr\u00e1 liberado, lo que provocar\u00e1 un use-after-free. [ 71.636938] ================================================================== [ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890 [ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0 [ 71.637915] [ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary) [ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 71.637915] Call Trace: [ 71.637915]  [ 71.637915] dump_stack_lvl+0x53/0x70 [ 71.637915] print_report+0xce/0x670 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] kasan_report+0xce/0x100 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] __run_timers+0x7ad/0x890 [ 71.637915] ? __pfx___run_timers+0x10/0x10 [ 71.637915] ? update_process_times+0xfc/0x190 [ 71.637915] ? __pfx_update_process_times+0x10/0x10 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 71.637915] run_timer_softirq+0x141/0x240 [ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10 [ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 71.637915] ? kvm_clock_get_cycles+0x18/0x30 [ 71.637915] ? ktime_get+0x60/0x140 [ 71.637915] handle_softirqs+0x1b8/0x5c0 [ 71.637915] ? __pfx_handle_softirqs+0x10/0x10 [ 71.637915] irq_exit_rcu+0xaf/0xe0 [ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80 [ 71.637915]  [ 71.637915] [ 71.637915] Allocated by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] __kasan_kmalloc+0x8f/0xa0 [ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420 [ 71.637915] devm_kmalloc+0x74/0x1e0 [ 71.637915] appletb_kbd_probe+0x37/0x3c0 [ 71.637915] hid_device_probe+0x2d1/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] [ 71.637915] [ 71.637915] Freed by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] kasan_save_free_info+0x3b/0x60 [ 71.637915] __kasan_slab_free+0x37/0x50 [ 71.637915] kfree+0xcf/0x360 [ 71.637915] devres_release_group+0x1f8/0x3c0 [ 71.637915] hid_device_probe+0x315/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...]  La causa principal del problema es que el temporizador no se desactiva en rutas de fallo, lo que provoca que permanezca activo y acceda a la memoria liberada. Para solucionar esto, llame a timer_delete_sync() para desactivarlo. Otro peque\u00f1o problema es que timer_delete_sync se llama incondicionalmente en appletb_kbd_remove(). Para solucionarlo, compruebe si hay un `kbd-\u0026gt;backlight_dev` v\u00e1lido antes de llamar a timer_delete_sync."
    }
  ],
  "id": "CVE-2025-38378",
  "lastModified": "2025-07-25T15:29:19.837",
  "metrics": {},
  "published": "2025-07-25T13:15:26.917",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/38224c472a038fa9ccd4085511dd9f3d6119dbf9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/51720dee3a61ebace36c3dcdd0b4a488e0970f29"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.