In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk

LINUX

18-12-2025 19:11

CVE-2025-38154 Vulnerabilidad documentada

Sin puntuación

Tags

#using

#kernel

#add

#linux

#vulnerability

#affected

#patch

#protect

#execute

#affect

Descripción

In the Linux kernel, following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during call to skb_send_sock(), there a race condition with the release of sk_socket. All types sockets(tcp/udp/unix/vsock) will be affected. Race conditions: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops->release() -> sock_map_close() sk_socket->ops = NULL free(socket) sock->ops->sendmsg ^ panic here ''' The ref psock become 0 sock_map_close() executed. ''' void sock_map_close() { if (likely(psock)) { // !! here we remove and 0 sock_map_remove_links(sk, psock) sk_psock_get(sk); (unlikely(!psock)) goto no_psock; <=== Control jumps via goto cancel_delayed_work_sync(&psock->work); executed sk_psock_put(sk, psock); ... } ''' Based on fact that already wait for workqueue finish in sock_map_close() held, simply increase psock reference count avoid conditions. With this patch, thread running, will wait complete cancel all pending work. If no any work hasn't started by then will fail invoked sk_psock_get(), as reference have been zeroed, sk_psock_drop() will jobs via cancel_delayed_work_sync(). In summary, require synchronization coordinate thread and close() thread. The I catched: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: ? die_addr+0x40/0xa0 exc_general_protection+0x14c/0x230 asm_exc_general_protection+0x26/0x30 sock_sendmsg+0x21d/0x440 sock_sendmsg+0x3e0/0x440 __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... '''

https://git.kernel.org/stable/c/15c0250dae3b48a398447d2b364603821ed4ed90

https://git.kernel.org/stable/c/4c6fa65ab2aec7df94809478c8d28ef38676a1b7

https://git.kernel.org/stable/c/4edb40b05cb6a261775abfd8046804ca139a5546

https://git.kernel.org/stable/c/7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987

https://git.kernel.org/stable/c/8259eb0e06d8f64c700f5fbdb28a5c18e10de291

https://git.kernel.org/stable/c/b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-38154

Resultados similares

Coincidentes en almenos en 50% de los tags

19-12-2025
Linux : SUSE Multi-Linux Manager Security Patch 5.0.6 Advisory SUSE-SU-2025:4466-1 ... https://...
Ver información

18-12-2025
Linux : openSUSE: Important CVE-2025-47908 Patch Advisory Now Available An update that solves o...
Ver información