ghsa-q8ww-99pm-fjf2
Vulnerability from github
Published
2025-07-10 09:32
Modified
2025-07-10 09:32
Details

In the Linux kernel, the following vulnerability has been resolved:

net: atm: add lec_mutex

syzbot found its way in net/atm/lec.c, and found an error path in lecd_attach() could leave a dangling pointer in dev_lec[].

Add a mutex to protect dev_lecp[] uses from lecd_attach(), lec_vcc_attach() and lec_mcast_attach().

Following patch will use this mutex for /proc/net/atm/lec.

BUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline] BUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142

CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xcd/0x680 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 lecd_attach net/atm/lec.c:751 [inline] lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Allocated by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015 alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711 lecd_attach net/atm/lec.c:737 [inline] lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x2b4/0x4d0 mm/slub.c:4842 free_netdev+0x6c5/0x910 net/core/dev.c:11892 lecd_attach net/atm/lec.c:744 [inline] lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38323"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T09:15:26Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: add lec_mutex\n\nsyzbot found its way in net/atm/lec.c, and found an error path\nin lecd_attach() could leave a dangling pointer in dev_lec[].\n\nAdd a mutex to protect dev_lecp[] uses from lecd_attach(),\nlec_vcc_attach() and lec_mcast_attach().\n\nFollowing patch will use this mutex for /proc/net/atm/lec.\n\nBUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline]\nBUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008\nRead of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142\n\nCPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:408 [inline]\n  print_report+0xcd/0x680 mm/kasan/report.c:521\n  kasan_report+0xe0/0x110 mm/kasan/report.c:634\n  lecd_attach net/atm/lec.c:751 [inline]\n  lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nAllocated by task 6132:\n  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n  __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n  kasan_kmalloc include/linux/kasan.h:260 [inline]\n  __do_kmalloc_node mm/slub.c:4328 [inline]\n  __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015\n  alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711\n  lecd_attach net/atm/lec.c:737 [inline]\n  lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 6132:\n  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576\n  poison_slab_object mm/kasan/common.c:247 [inline]\n  __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264\n  kasan_slab_free include/linux/kasan.h:233 [inline]\n  slab_free_hook mm/slub.c:2381 [inline]\n  slab_free mm/slub.c:4643 [inline]\n  kfree+0x2b4/0x4d0 mm/slub.c:4842\n  free_netdev+0x6c5/0x910 net/core/dev.c:11892\n  lecd_attach net/atm/lec.c:744 [inline]\n  lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893",
  "id": "GHSA-q8ww-99pm-fjf2",
  "modified": "2025-07-10T09:32:30Z",
  "published": "2025-07-10T09:32:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38323"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17e156a94e94a906a570dbf9b48877956c60bef8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18e8f0c4f826fb08c2d3825cdd6c57e24b207e0a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64b378db28a967f7b271b055380c2360279aa424"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a7a713dfb5f9477345450f27c7c0741864511192"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d13a3824bfd2b4774b671a75cf766a16637a0e67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dffd03422ae6a459039c8602f410e6c0f4cbc6c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e91274cc7ed88ab5bdc62d426067c82b0b118a0b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4d80b16ecc4229f7e6345158ef34c36be323f0e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.