[SRU][N][PATCH 0/1] CVE-2025-38666
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Fri Oct 10 12:04:59 UTC 2025
https://ubuntu.com/security/CVE-2025-38666
[ Impact ]
net: appletalk: Fix use-after-free in AARP proxy probe
The AARP proxyâprobe routine (aarp_proxy_probe_network) sends a probe,
releases the aarp_lock, sleeps, then re-acquires the lock. During that
window an expire timer thread (__aarp_expire_timer) can remove and
kfree() the same entry, leading to a use-after-free.
Race condition:
cpu 0 | cpu 1
atalk_sendmsg() | atif_proxy_probe_device()
aarp_send_ddp() | aarp_proxy_probe_network()
mod_timer() | lock(aarp_lock) // LOCK!!
timeout around 200ms | alloc(aarp_entry)
and then call | proxies[hash] = aarp_entry
aarp_expire_timeout() | aarp_send_probe()
| unlock(aarp_lock) // UNLOCK!!
lock(aarp_lock) // LOCK!! | msleep(100);
__aarp_expire_timer(&proxies[ct]) |
free(aarp_entry) |
unlock(aarp_lock) // UNLOCK!! |
| lock(aarp_lock) // LOCK!!
| UAF aarp_entry !!
[ Fix ]
Introduce a reference counter to the AARP proxy structure and ensure the
probe increments that reference before dropping the lock and decrements
it after finishing.
Plucky: Will be fixed through upstream stable updates (LP: #2125820)
Noble: Clean cherry pick from upstream
Jammy: Will be fixed through upstream stable updates (LP: #2122364)
[ Test Plan ]
Compile tested only.
[ Regression Potential ]
The fix affects the AppleTalk AARP proxy-probe lifetime handling.
An issue with this patch may introduce refcount/lock imbalances the
prevents entries from expiring, or premature drops that break proxying.
Kito Xu (veritas501) (1):
net: appletalk: Fix use-after-free in AARP proxy probe
net/appletalk/aarp.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
--
2.48.1
More information about the kernel-team
mailing list