CVE-2025-38154

{"id": "CVE-2025-38154", "cveTags": [], "metrics": {}, "published": "2025-07-03T09:15:30.363", "references": [{"url": "https://git.kernel.org/stable/c/15c0250dae3b48a398447d2b364603821ed4ed90", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4c6fa65ab2aec7df94809478c8d28ef38676a1b7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4edb40b05cb6a261775abfd8046804ca139a5546", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8259eb0e06d8f64c700f5fbdb28a5c18e10de291", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Avoid using sk_socket after free when sending\n\nThe sk->sk_socket is not locked or referenced in backlog thread, and\nduring the call to skb_send_sock(), there is a race condition with\nthe release of sk_socket. All types of sockets(tcp/udp/unix/vsock)\nwill be affected.\n\nRace conditions:\n'''\nCPU0 CPU1\n\nbacklog::skb_send_sock\n sendmsg_unlocked\n sock_sendmsg\n sock_sendmsg_nosec\n close(fd):\n ...\n ops->release() -> sock_map_close()\n sk_socket->ops = NULL\n free(socket)\n sock->ops->sendmsg\n ^\n panic here\n'''\n\nThe ref of psock become 0 after sock_map_close() executed.\n'''\nvoid sock_map_close()\n{\n ...\n if (likely(psock)) {\n ...\n // !! here we remove psock and the ref of psock become 0\n sock_map_remove_links(sk, psock)\n psock = sk_psock_get(sk);\n if (unlikely(!psock))\n goto no_psock; <=== Control jumps here via goto\n ...\n cancel_delayed_work_sync(&psock->work); <=== not executed\n sk_psock_put(sk, psock);\n ...\n}\n'''\n\nBased on the fact that we already wait for the workqueue to finish in\nsock_map_close() if psock is held, we simply increase the psock\nreference count to avoid race conditions.\n\nWith this patch, if the backlog thread is running, sock_map_close() will\nwait for the backlog thread to complete and cancel all pending work.\n\nIf no backlog running, any pending work that hasn't started by then will\nfail when invoked by sk_psock_get(), as the psock reference count have\nbeen zeroed, and sk_psock_drop() will cancel all jobs via\ncancel_delayed_work_sync().\n\nIn summary, we require synchronization to coordinate the backlog thread\nand close() thread.\n\nThe panic I catched:\n'''\nWorkqueue: events sk_psock_backlog\nRIP: 0010:sock_sendmsg+0x21d/0x440\nRAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001\n...\nCall Trace:\n <TASK>\n ? die_addr+0x40/0xa0\n ? exc_general_protection+0x14c/0x230\n ? asm_exc_general_protection+0x26/0x30\n ? sock_sendmsg+0x21d/0x440\n ? sock_sendmsg+0x3e0/0x440\n ? __pfx_sock_sendmsg+0x10/0x10\n __skb_send_sock+0x543/0xb70\n sk_psock_backlog+0x247/0xb80\n...\n'''"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, sockmap: Evite usar sk_socket despu\u00e9s de liberar al enviar El sk-&gt;sk_socket no est\u00e1 bloqueado o referenciado en el hilo del backlog, y durante la llamada a skb_send_sock(), hay una condici\u00f3n de ejecuci\u00f3n con la liberaci\u00f3n de sk_socket. Todos los tipos de sockets (tcp/udp/unix/vsock) se ver\u00e1n afectados. Condiciones de ejecuciones: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops-&gt;release() -&gt; sock_map_close() sk_socket-&gt;ops = NULL free(socket) sock-&gt;ops-&gt;sendmsg ^ p\u00e1nico aqu\u00ed ''' La referencia de psock se convierte en 0 despu\u00e9s de ejecutar sock_map_close(). ''' void sock_map_close() { ... if (likely(psock)) { ... // !! aqu\u00ed eliminamos psock y la referencia de psock se convierte en 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; &lt;=== El control salta aqu\u00ed mediante goto ... cancel_delayed_work_sync(&amp;psock-&gt;work); &lt;=== no se ejecuta sk_psock_put(sk, psock); ... } ''' Bas\u00e1ndonos en el hecho de que ya esperamos a que finalice la cola de trabajo en sock_map_close() si psock est\u00e1 retenido, simplemente aumentamos el recuento de referencias de psock para evitar condiciones de ejecuci\u00f3n. Con este parche, si el hilo de la lista de tareas pendientes se est\u00e1 ejecutando, sock_map_close() esperar\u00e1 a que se complete el hilo de la lista de tareas pendientes y cancelar\u00e1 todo el trabajo pendiente. Si no hay trabajos pendientes en ejecuci\u00f3n, cualquier trabajo pendiente que no haya comenzado para entonces fallar\u00e1 al ser invocado por sk_psock_get(), ya que el recuento de referencias de psock se ha puesto a cero, y sk_psock_drop() cancelar\u00e1 todos los trabajos mediante cancel_delayed_work_sync(). En resumen, necesitamos sincronizaci\u00f3n para coordinar el hilo de trabajo pendiente y el hilo de cierre. El p\u00e1nico que me entr\u00f3: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... ''' "}], "lastModified": "2025-07-03T15:13:53.147", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}