ACK: [SRU][N][PATCH 0/1] CVE-2025-38666
Bethany Jamison
bethany.jamison at canonical.com
Tue Oct 28 16:13:48 UTC 2025
On 10/10/25 7:04 AM, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2025-38666
>
> [ Impact ]
>
> net: appletalk: Fix use-after-free in AARP proxy probe
>
> The AARP proxyâprobe routine (aarp_proxy_probe_network) sends a probe,
> releases the aarp_lock, sleeps, then re-acquires the lock. During that
> window an expire timer thread (__aarp_expire_timer) can remove and
> kfree() the same entry, leading to a use-after-free.
>
> Race condition:
>
> cpu 0 | cpu 1
> atalk_sendmsg() | atif_proxy_probe_device()
> aarp_send_ddp() | aarp_proxy_probe_network()
> mod_timer() | lock(aarp_lock) // LOCK!!
> timeout around 200ms | alloc(aarp_entry)
> and then call | proxies[hash] = aarp_entry
> aarp_expire_timeout() | aarp_send_probe()
> | unlock(aarp_lock) // UNLOCK!!
> lock(aarp_lock) // LOCK!! | msleep(100);
> __aarp_expire_timer(&proxies[ct]) |
> free(aarp_entry) |
> unlock(aarp_lock) // UNLOCK!! |
> | lock(aarp_lock) // LOCK!!
> | UAF aarp_entry !!
>
> [ Fix ]
>
> Introduce a reference counter to the AARP proxy structure and ensure the
> probe increments that reference before dropping the lock and decrements
> it after finishing.
>
> Plucky: Will be fixed through upstream stable updates (LP: #2125820)
> Noble: Clean cherry pick from upstream
> Jammy: Will be fixed through upstream stable updates (LP: #2122364)
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Regression Potential ]
>
> The fix affects the AppleTalk AARP proxy-probe lifetime handling.
> An issue with this patch may introduce refcount/lock imbalances the
> prevents entries from expiring, or premature drops that break proxying.
>
> Kito Xu (veritas501) (1):
> net: appletalk: Fix use-after-free in AARP proxy probe
>
> net/appletalk/aarp.c | 24 +++++++++++++++++++++---
> 1 file changed, 21 insertions(+), 3 deletions(-)
>
Acked-by: Bethany Jamison <bethany.jamison at canonical.com>
More information about the kernel-team
mailing list