ACK: [SRU][N][PATCH 0/1] CVE-2025-38666

Manuel Diewald manuel.diewald at canonical.com
Tue Oct 14 10:30:00 UTC 2025 

On Fri, Oct 10, 2025 at 02:04:59PM +0200, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2025-38666
> 
> [ Impact ]
> 
> net: appletalk: Fix use-after-free in AARP proxy probe
> 
> The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe,
> releases the aarp_lock, sleeps, then re-acquires the lock.  During that
> window an expire timer thread (__aarp_expire_timer) can remove and
> kfree() the same entry, leading to a use-after-free.
> 
> Race condition:
> 
>          cpu 0                          |            cpu 1
>     atalk_sendmsg()                     |   atif_proxy_probe_device()
>     aarp_send_ddp()                     |   aarp_proxy_probe_network()
>     mod_timer()                         |   lock(aarp_lock) // LOCK!!
>     timeout around 200ms                |   alloc(aarp_entry)
>     and then call                       |   proxies[hash] = aarp_entry
>     aarp_expire_timeout()               |   aarp_send_probe()
>                                         |   unlock(aarp_lock) // UNLOCK!!
>     lock(aarp_lock) // LOCK!!           |   msleep(100);
>     __aarp_expire_timer(&proxies[ct])   |
>     free(aarp_entry)                    |
>     unlock(aarp_lock) // UNLOCK!!       |
>                                         |   lock(aarp_lock) // LOCK!!
>                                         |   UAF aarp_entry !!
> 
> [ Fix ]
> 
> Introduce a reference counter to the AARP proxy structure and ensure the
> probe increments that reference before dropping the lock and decrements
> it after finishing.
> 
> Plucky: Will be fixed through upstream stable updates (LP: #2125820)
> Noble: Clean cherry pick from upstream
> Jammy: Will be fixed through upstream stable updates (LP: #2122364)
> 
> [ Test Plan ]
> 
> Compile tested only.
> 
> [ Regression Potential ]
> 
> The fix affects the AppleTalk AARP proxy-probe lifetime handling.
> An issue with this patch may introduce refcount/lock imbalances the
> prevents entries from expiring, or premature drops that break proxying.
> 
> Kito Xu (veritas501) (1):
>   net: appletalk: Fix use-after-free in AARP proxy probe
> 
>  net/appletalk/aarp.c | 24 +++++++++++++++++++++---
>  1 file changed, 21 insertions(+), 3 deletions(-)
> 
> -- 
> 2.48.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251014/6f3c7e49/attachment-0001.sig>

More information about the kernel-team mailing list