GHSA-PMXH-5JPF-C7JQ

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-26 00:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix UAF on smcsk after smc_listen_out()

BPF CI testing report a UAF issue:

[ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda73-dirty #4 2 [ 16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL E [ 16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201 4 [ 16.450201] Workqueue: smc_hs_wq smc_listen_wor k [ 16.450531] RIP: 0010:smc_listen_work+0xc02/0x159 0 [ 16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024 6 [ 16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030 0 [ 16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000 0 [ 16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000 5 [ 16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640 0 [ 16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092 0 [ 16.454996] FS: 0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000 0 [ 16.455557] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003 3 [ 16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef 0 [ 16.456459] PKRU: 5555555 4 [ 16.456654] Call Trace : [ 16.456832] [ 16.456989] ? __die+0x23/0x7 0 [ 16.457215] ? page_fault_oops+0x180/0x4c 0 [ 16.457508] ? __lock_acquire+0x3e6/0x249 0 [ 16.457801] ? exc_page_fault+0x68/0x20 0 [ 16.458080] ? asm_exc_page_fault+0x26/0x3 0 [ 16.458389] ? smc_listen_work+0xc02/0x159 0 [ 16.458689] ? smc_listen_work+0xc02/0x159 0 [ 16.458987] ? lock_is_held_type+0x8f/0x10 0 [ 16.459284] process_one_work+0x1ea/0x6d 0 [ 16.459570] worker_thread+0x1c3/0x38 0 [ 16.459839] ? __pfx_worker_thread+0x10/0x1 0 [ 16.460144] kthread+0xe0/0x11 0 [ 16.460372] ? __pfx_kthread+0x10/0x1 0 [ 16.460640] ret_from_fork+0x31/0x5 0 [ 16.460896] ? __pfx_kthread+0x10/0x1 0 [ 16.461166] ret_from_fork_asm+0x1a/0x3 0 [ 16.461453] [ 16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE) ] [ 16.462134] CR2: 000000000000003 0 [ 16.462380] ---[ end trace 0000000000000000 ]--- [ 16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590

The direct cause of this issue is that after smc_listen_out_connected(), newclcsock->sk may be NULL since it will releases the smcsk. Therefore, if the application closes the socket immediately after accept, newclcsock->sk can be NULL. A possible execution order could be as follows:

smc_listen_work | userspace

lock_sock(sk) | smc_listen_out_connected() | | - smc_listen_out | | | - release_sock | | |- sk->sk_data_ready() | | fd = accept(); | close(fd); | - socket->sk = NULL; / newclcsock->sk is NULL now / SMC_STAT_SERV_SUCC_INC(sock_net(newclcsock->sk))

Since smc_listen_out_connected() will not fail, simply swapping the order of the code can easily fix this issue.

Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T18:15:42Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix UAF on smcsk after smc_listen_out()\n\nBPF CI testing report a UAF issue:\n\n  [   16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003  0\n  [   16.447134] #PF: supervisor read access in kernel mod  e\n  [   16.447516] #PF: error_code(0x0000) - not-present pag  e\n  [   16.447878] PGD 0 P4D   0\n  [   16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT  I\n  [   16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G           OE      6.13.0-rc3-g89e8a75fda73-dirty #4  2\n  [   16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL  E\n  [   16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201  4\n  [   16.450201] Workqueue: smc_hs_wq smc_listen_wor  k\n  [   16.450531] RIP: 0010:smc_listen_work+0xc02/0x159  0\n  [   16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024  6\n  [   16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030  0\n  [   16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000  0\n  [   16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000  5\n  [   16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640  0\n  [   16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092  0\n  [   16.454996] FS:  0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000  0\n  [   16.455557] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003  3\n  [   16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef  0\n  [   16.456459] PKRU: 5555555  4\n  [   16.456654] Call Trace  :\n  [   16.456832]  \u003cTASK  \u003e\n  [   16.456989]  ? __die+0x23/0x7  0\n  [   16.457215]  ? page_fault_oops+0x180/0x4c  0\n  [   16.457508]  ? __lock_acquire+0x3e6/0x249  0\n  [   16.457801]  ? exc_page_fault+0x68/0x20  0\n  [   16.458080]  ? asm_exc_page_fault+0x26/0x3  0\n  [   16.458389]  ? smc_listen_work+0xc02/0x159  0\n  [   16.458689]  ? smc_listen_work+0xc02/0x159  0\n  [   16.458987]  ? lock_is_held_type+0x8f/0x10  0\n  [   16.459284]  process_one_work+0x1ea/0x6d  0\n  [   16.459570]  worker_thread+0x1c3/0x38  0\n  [   16.459839]  ? __pfx_worker_thread+0x10/0x1  0\n  [   16.460144]  kthread+0xe0/0x11  0\n  [   16.460372]  ? __pfx_kthread+0x10/0x1  0\n  [   16.460640]  ret_from_fork+0x31/0x5  0\n  [   16.460896]  ? __pfx_kthread+0x10/0x1  0\n  [   16.461166]  ret_from_fork_asm+0x1a/0x3  0\n  [   16.461453]  \u003c/TASK  \u003e\n  [   16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE)  ]\n  [   16.462134] CR2: 000000000000003  0\n  [   16.462380] ---[ end trace 0000000000000000 ]---\n  [   16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590\n\nThe direct cause of this issue is that after smc_listen_out_connected(),\nnewclcsock-\u003esk may be NULL since it will releases the smcsk. Therefore,\nif the application closes the socket immediately after accept,\nnewclcsock-\u003esk can be NULL. A possible execution order could be as\nfollows:\n\nsmc_listen_work                                 | userspace\n-----------------------------------------------------------------\nlock_sock(sk)                                   |\nsmc_listen_out_connected()                      |\n| \\- smc_listen_out                             |\n|    | \\- release_sock                          |\n     | |- sk-\u003esk_data_ready()                   |\n                                                | fd = accept();\n                                                | close(fd);\n                                                |  \\- socket-\u003esk = NULL;\n/* newclcsock-\u003esk is NULL now */\nSMC_STAT_SERV_SUCC_INC(sock_net(newclcsock-\u003esk))\n\nSince smc_listen_out_connected() will not fail, simply swapping the order\nof the code can easily fix this issue.",
  "id": "GHSA-pmxh-5jpf-c7jq",
  "modified": "2025-11-26T00:30:16Z",
  "published": "2025-09-05T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38734"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/070b4af44c4b6e4c35fb1ca7001a6a88fd2d318f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e765ba0ee0eae35688b443e97108308a716773e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/85545f1525f9fa9bf44fec77ba011024f15da342"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9cef55ed49117bd63695446fb84b4b91815c0b4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.