APPLIED: [SRU][N][PATCH 0/1] CVE-2025-38666

Stefan Bader stefan.bader at canonical.com
Fri Oct 31 10:18:15 UTC 2025 

On 10/10/2025 14:04, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2025-38666
> 
> [ Impact ]
> 
> net: appletalk: Fix use-after-free in AARP proxy probe
> 
> The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe,
> releases the aarp_lock, sleeps, then re-acquires the lock.  During that
> window an expire timer thread (__aarp_expire_timer) can remove and
> kfree() the same entry, leading to a use-after-free.
> 
> Race condition:
> 
>           cpu 0                          |            cpu 1
>      atalk_sendmsg()                     |   atif_proxy_probe_device()
>      aarp_send_ddp()                     |   aarp_proxy_probe_network()
>      mod_timer()                         |   lock(aarp_lock) // LOCK!!
>      timeout around 200ms                |   alloc(aarp_entry)
>      and then call                       |   proxies[hash] = aarp_entry
>      aarp_expire_timeout()               |   aarp_send_probe()
>                                          |   unlock(aarp_lock) // UNLOCK!!
>      lock(aarp_lock) // LOCK!!           |   msleep(100);
>      __aarp_expire_timer(&proxies[ct])   |
>      free(aarp_entry)                    |
>      unlock(aarp_lock) // UNLOCK!!       |
>                                          |   lock(aarp_lock) // LOCK!!
>                                          |   UAF aarp_entry !!
> 
> [ Fix ]
> 
> Introduce a reference counter to the AARP proxy structure and ensure the
> probe increments that reference before dropping the lock and decrements
> it after finishing.
> 
> Plucky: Will be fixed through upstream stable updates (LP: #2125820)
> Noble: Clean cherry pick from upstream
> Jammy: Will be fixed through upstream stable updates (LP: #2122364)
> 
> [ Test Plan ]
> 
> Compile tested only.
> 
> [ Regression Potential ]
> 
> The fix affects the AppleTalk AARP proxy-probe lifetime handling.
> An issue with this patch may introduce refcount/lock imbalances the
> prevents entries from expiring, or premature drops that break proxying.
> 
> Kito Xu (veritas501) (1):
>    net: appletalk: Fix use-after-free in AARP proxy probe
> 
>   net/appletalk/aarp.c | 24 +++++++++++++++++++++---
>   1 file changed, 21 insertions(+), 3 deletions(-)
> 


Applied to noble:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251031/4ca32c08/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251031/4ca32c08/attachment-0001.sig>

More information about the kernel-team mailing list