CVE-2025-38323
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38323
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38323.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38323
- Downstream
- Published
- 2025-07-10T09:15:26Z
- Modified
- 2025-07-10T17:12:10.701338Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: atm: add lec_mutex
syzbot found its way in net/atm/lec.c, and found an error path in lecdattach() could leave a dangling pointer in devlec[].
Add a mutex to protect devlecp[] uses from lecdattach(), lecvccattach() and lecmcastattach().
Following patch will use this mutex for /proc/net/atm/lec.
BUG: KASAN: slab-use-after-free in lecdattach net/atm/lec.c:751 [inline] BUG: KASAN: slab-use-after-free in laneioctl+0x2224/0x23e0 net/atm/lec.c:1008 Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142
CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xcd/0x680 mm/kasan/report.c:521 kasanreport+0xe0/0x110 mm/kasan/report.c:634 lecdattach net/atm/lec.c:751 [inline] laneioctl+0x2224/0x23e0 net/atm/lec.c:1008 dovccioctl+0x12c/0x930 net/atm/ioctl.c:159 sockdoioctl+0x118/0x280 net/socket.c:1190 sockioctl+0x227/0x6b0 net/socket.c:1311 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:907 [inline] _sesysioctl fs/ioctl.c:893 [inline] _x64sysioctl+0x18e/0x210 fs/ioctl.c:893 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x4c0 arch/x86/entry/syscall64.c:94 entrySYSCALL64after_hwframe+0x77/0x7f </TASK>
Allocated by task 6132: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4328 [inline] _kvmallocnodenoprof+0x27b/0x620 mm/slub.c:5015 allocnetdevmqs+0xd2/0x1570 net/core/dev.c:11711 lecdattach net/atm/lec.c:737 [inline] laneioctl+0x17db/0x23e0 net/atm/lec.c:1008 dovccioctl+0x12c/0x930 net/atm/ioctl.c:159 sockdoioctl+0x118/0x280 net/socket.c:1190 sockioctl+0x227/0x6b0 net/socket.c:1311 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:907 [inline] _sesysioctl fs/ioctl.c:893 [inline] _x64sysioctl+0x18e/0x210 fs/ioctl.c:893 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x4c0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f
Freed by task 6132: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 kasansavefreeinfo+0x3b/0x60 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x51/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2381 [inline] slabfree mm/slub.c:4643 [inline] kfree+0x2b4/0x4d0 mm/slub.c:4842 freenetdev+0x6c5/0x910 net/core/dev.c:11892 lecdattach net/atm/lec.c:744 [inline] laneioctl+0x1ce8/0x23e0 net/atm/lec.c:1008 dovccioctl+0x12c/0x930 net/atm/ioctl.c:159 sockdoioctl+0x118/0x280 net/socket.c:1190 sockioctl+0x227/0x6b0 net/socket.c:1311 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:907 [inline] _sesysioctl fs/ioctl.c:893 [inline] _x64sys_ioctl+0x18e/0x210 fs/ioctl.c:893
- References
-
- https://git.kernel.org/stable/c/17e156a94e94a906a570dbf9b48877956c60bef8
- https://git.kernel.org/stable/c/18e8f0c4f826fb08c2d3825cdd6c57e24b207e0a
- https://git.kernel.org/stable/c/64b378db28a967f7b271b055380c2360279aa424
- https://git.kernel.org/stable/c/a7a713dfb5f9477345450f27c7c0741864511192
- https://git.kernel.org/stable/c/d13a3824bfd2b4774b671a75cf766a16637a0e67
- https://git.kernel.org/stable/c/dffd03422ae6a459039c8602f410e6c0f4cbc6c8
- https://git.kernel.org/stable/c/e91274cc7ed88ab5bdc62d426067c82b0b118a0b
- https://git.kernel.org/stable/c/f4d80b16ecc4229f7e6345158ef34c36be323f0e
- https://security-tracker.debian.org/tracker/CVE-2025-38323
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.35-1