Acknowledged
Created: Jun 19, 2025
Updated: Jun 20, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]smb: client: Fix use-after-free in cifs_fill_dirent[EOL][EOL]There is a race condition in the readdir concurrency process, which may[EOL]access the rsp buffer after it has been released, triggering the[EOL]following KASAN warning.[EOL][EOL] ==================================================================[EOL] BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs][EOL] Read of size 4 at addr ffff8880099b819c by task a.out/342975[EOL][EOL] CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)[EOL] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014[EOL] Call Trace:[EOL] <TASK>[EOL] dump_stack_lvl+0x53/0x70[EOL] print_report+0xce/0x640[EOL] kasan_report+0xb8/0xf0[EOL] cifs_fill_dirent+0xb03/0xb60 [cifs][EOL] cifs_readdir+0x12cb/0x3190 [cifs][EOL] iterate_dir+0x1a1/0x520[EOL] __x64_sys_getdents+0x134/0x220[EOL] do_syscall_64+0x4b/0x110[EOL] entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL] RIP: 0033:0x7f996f64b9f9[EOL] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89[EOL] f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01[EOL] f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8[EOL] RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e[EOL] RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9[EOL] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003[EOL] RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000[EOL] R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88[EOL] R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000[EOL] </TASK>[EOL][EOL] Allocated by task 408:[EOL] kasan_save_stack+0x20/0x40[EOL] kasan_save_track+0x14/0x30[EOL] __kasan_slab_alloc+0x6e/0x70[EOL] kmem_cache_alloc_noprof+0x117/0x3d0[EOL] mempool_alloc_noprof+0xf2/0x2c0[EOL] cifs_buf_get+0x36/0x80 [cifs][EOL] allocate_buffers+0x1d2/0x330 [cifs][EOL] cifs_demultiplex_thread+0x22b/0x2690 [cifs][EOL] kthread+0x394/0x720[EOL] ret_from_fork+0x34/0x70[EOL] ret_from_fork_asm+0x1a/0x30[EOL][EOL] Freed by task 342979:[EOL] kasan_save_stack+0x20/0x40[EOL] kasan_save_track+0x14/0x30[EOL] kasan_save_free_info+0x3b/0x60[EOL] __kasan_slab_free+0x37/0x50[EOL] kmem_cache_free+0x2b8/0x500[EOL] cifs_buf_release+0x3c/0x70 [cifs][EOL] cifs_readdir+0x1c97/0x3190 [cifs][EOL] iterate_dir+0x1a1/0x520[EOL] __x64_sys_getdents64+0x134/0x220[EOL] do_syscall_64+0x4b/0x110[EOL] entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL][EOL] The buggy address belongs to the object at ffff8880099b8000[EOL] which belongs to the cache cifs_request of size 16588[EOL] The buggy address is located 412 bytes inside of[EOL] freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)[EOL][EOL] The buggy address belongs to the physical page:[EOL] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8[EOL] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0[EOL] anon flags: 0x80000000000040(head (node=0|zone=1)[EOL) page_type: f5(slab)EOL] raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001[EOL] raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000[EOL] head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001[EOL] head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000[EOL] head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff[EOL] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008[EOL] page dumped because: kasan: bad access detected[EOL][EOL] Memory state around the buggy address:[EOL] ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL] ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL] >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL] ^[EOL] ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL] ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL] ==================================================================[EOL][EOL]POC is available in the link [1].[EOL][EOL]The problem triggering process is as follows:[EOL][EOL]Process 1 Process 2[EOL]-----------------------------------[EOL]---truncated---
CREATE(Triage):(User=lchen-cn) [CVE-2025-38051 (https://nvd.nist.gov/vuln/detail/CVE-2025-38051)
