ghsa-j6m8-x4v6-3fgh
Vulnerability from github
Published
2025-07-25 15:30
Modified
2025-07-25 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe

In probe appletb_kbd_probe() a "struct appletb_kbd *kbd" is allocated via devm_kzalloc() to store touch bar keyboard related data. Later on if backlight_device_get_by_name() finds a backlight device with name "appletb_backlight" a timer (kbd->inactivity_timer) is setup with appletb_inactivity_timer() and the timer is armed to run after appletb_tb_dim_timeout (60) seconds.

A use-after-free is triggered when failure occurs after the timer is armed. This ultimately means probe failure occurs and as a result the "struct appletb_kbd *kbd" which is device managed memory is freed. After 60 seconds the timer will have expired and __run_timers will attempt to access the timer (kbd->inactivity_timer) however the kdb structure has been freed causing a use-after free.

[ 71.636938] ================================================================== [ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890 [ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0 [ 71.637915] [ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary) [ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 71.637915] Call Trace: [ 71.637915] [ 71.637915] dump_stack_lvl+0x53/0x70 [ 71.637915] print_report+0xce/0x670 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] kasan_report+0xce/0x100 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] __run_timers+0x7ad/0x890 [ 71.637915] ? __pfxruntimers+0x10/0x10 [ 71.637915] ? update_process_times+0xfc/0x190 [ 71.637915] ? pfx_update_process_times+0x10/0x10 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 71.637915] run_timer_softirq+0x141/0x240 [ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10 [ 71.637915] ? __pfxhrtimerrun_queues+0x10/0x10 [ 71.637915] ? kvm_clock_get_cycles+0x18/0x30 [ 71.637915] ? ktime_get+0x60/0x140 [ 71.637915] handle_softirqs+0x1b8/0x5c0 [ 71.637915] ? pfx_handle_softirqs+0x10/0x10 [ 71.637915] irq_exit_rcu+0xaf/0xe0 [ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80 [ 71.637915] [ 71.637915] [ 71.637915] Allocated by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] __kasan_kmalloc+0x8f/0xa0 [ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420 [ 71.637915] devm_kmalloc+0x74/0x1e0 [ 71.637915] appletb_kbd_probe+0x37/0x3c0 [ 71.637915] hid_device_probe+0x2d1/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] [ 71.637915] [ 71.637915] Freed by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] kasan_save_free_info+0x3b/0x60 [ 71.637915] __kasan_slab_free+0x37/0x50 [ 71.637915] kfree+0xcf/0x360 [ 71.637915] devres_release_group+0x1f8/0x3c0 [ 71.637915] hid_device_probe+0x315/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...]

The root cause of the issue is that the timer is not disarmed on failure paths leading to it remaining active and accessing freed memory. To fix this call timer_delete_sync() to deactivate the timer.

Another small issue is that timer_delete_sync is called unconditionally in appletb_kbd_remove(), fix this by checking for a valid kbd->backlight_dev before calling timer_delete_sync.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38378"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T13:15:26Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\n\nIn probe appletb_kbd_probe() a \"struct appletb_kbd *kbd\" is allocated\nvia devm_kzalloc() to store touch bar keyboard related data.\nLater on if backlight_device_get_by_name() finds a backlight device\nwith name \"appletb_backlight\" a timer (kbd-\u003einactivity_timer) is setup\nwith appletb_inactivity_timer() and the timer is armed to run after\nappletb_tb_dim_timeout (60) seconds.\n\nA use-after-free is triggered when failure occurs after the timer is\narmed. This ultimately means probe failure occurs and as a result the\n\"struct appletb_kbd *kbd\" which is device managed memory is freed.\nAfter 60 seconds the timer will have expired and __run_timers will\nattempt to access the timer (kbd-\u003einactivity_timer) however the kdb\nstructure has been freed causing a use-after free.\n\n[   71.636938] ==================================================================\n[   71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890\n[   71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0\n[   71.637915]\n[   71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary)\n[   71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[   71.637915] Call Trace:\n[   71.637915]  \u003cIRQ\u003e\n[   71.637915]  dump_stack_lvl+0x53/0x70\n[   71.637915]  print_report+0xce/0x670\n[   71.637915]  ? __run_timers+0x7ad/0x890\n[   71.637915]  kasan_report+0xce/0x100\n[   71.637915]  ? __run_timers+0x7ad/0x890\n[   71.637915]  __run_timers+0x7ad/0x890\n[   71.637915]  ? __pfx___run_timers+0x10/0x10\n[   71.637915]  ? update_process_times+0xfc/0x190\n[   71.637915]  ? __pfx_update_process_times+0x10/0x10\n[   71.637915]  ? _raw_spin_lock_irq+0x80/0xe0\n[   71.637915]  ? _raw_spin_lock_irq+0x80/0xe0\n[   71.637915]  ? __pfx__raw_spin_lock_irq+0x10/0x10\n[   71.637915]  run_timer_softirq+0x141/0x240\n[   71.637915]  ? __pfx_run_timer_softirq+0x10/0x10\n[   71.637915]  ? __pfx___hrtimer_run_queues+0x10/0x10\n[   71.637915]  ? kvm_clock_get_cycles+0x18/0x30\n[   71.637915]  ? ktime_get+0x60/0x140\n[   71.637915]  handle_softirqs+0x1b8/0x5c0\n[   71.637915]  ? __pfx_handle_softirqs+0x10/0x10\n[   71.637915]  irq_exit_rcu+0xaf/0xe0\n[   71.637915]  sysvec_apic_timer_interrupt+0x6c/0x80\n[   71.637915]  \u003c/IRQ\u003e\n[   71.637915]\n[   71.637915] Allocated by task 39:\n[   71.637915]  kasan_save_stack+0x33/0x60\n[   71.637915]  kasan_save_track+0x14/0x30\n[   71.637915]  __kasan_kmalloc+0x8f/0xa0\n[   71.637915]  __kmalloc_node_track_caller_noprof+0x195/0x420\n[   71.637915]  devm_kmalloc+0x74/0x1e0\n[   71.637915]  appletb_kbd_probe+0x37/0x3c0\n[   71.637915]  hid_device_probe+0x2d1/0x680\n[   71.637915]  really_probe+0x1c3/0x690\n[   71.637915]  __driver_probe_device+0x247/0x300\n[   71.637915]  driver_probe_device+0x49/0x210\n[...]\n[   71.637915]\n[   71.637915] Freed by task 39:\n[   71.637915]  kasan_save_stack+0x33/0x60\n[   71.637915]  kasan_save_track+0x14/0x30\n[   71.637915]  kasan_save_free_info+0x3b/0x60\n[   71.637915]  __kasan_slab_free+0x37/0x50\n[   71.637915]  kfree+0xcf/0x360\n[   71.637915]  devres_release_group+0x1f8/0x3c0\n[   71.637915]  hid_device_probe+0x315/0x680\n[   71.637915]  really_probe+0x1c3/0x690\n[   71.637915]  __driver_probe_device+0x247/0x300\n[   71.637915]  driver_probe_device+0x49/0x210\n[...]\n\nThe root cause of the issue is that the timer is not disarmed\non failure paths leading to it remaining active and accessing\nfreed memory. To fix this call timer_delete_sync() to deactivate\nthe timer.\n\nAnother small issue is that timer_delete_sync is called\nunconditionally in appletb_kbd_remove(), fix this by checking\nfor a valid kbd-\u003ebacklight_dev before calling timer_delete_sync.",
  "id": "GHSA-j6m8-x4v6-3fgh",
  "modified": "2025-07-25T15:30:51Z",
  "published": "2025-07-25T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38378"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38224c472a038fa9ccd4085511dd9f3d6119dbf9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51720dee3a61ebace36c3dcdd0b4a488e0970f29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.