Acknowledged
Created: Jun 19, 2025
Updated: Jun 20, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done[EOL][EOL]Syzbot reported a slab-use-after-free with the following call trace:[EOL][EOL] ==================================================================[EOL] BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840[EOL] Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25[EOL][EOL] Call Trace:[EOL] kasan_report+0xd9/0x110 mm/kasan/report.c:601[EOL] tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840[EOL] crypto_request_complete include/crypto/algapi.h:266[EOL] aead_request_complete include/crypto/internal/aead.h:85[EOL] cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772[EOL] crypto_request_complete include/crypto/algapi.h:266[EOL] cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181[EOL] process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231[EOL][EOL] Allocated by task 8355:[EOL] kzalloc_noprof include/linux/slab.h:778[EOL] tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466[EOL] tipc_init_net+0x2dd/0x430 net/tipc/core.c:72[EOL] ops_init+0xb9/0x650 net/core/net_namespace.c:139[EOL] setup_net+0x435/0xb40 net/core/net_namespace.c:343[EOL] copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508[EOL] create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110[EOL] unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228[EOL] ksys_unshare+0x419/0x970 kernel/fork.c:3323[EOL] __do_sys_unshare kernel/fork.c:3394[EOL][EOL] Freed by task 63:[EOL] kfree+0x12a/0x3b0 mm/slub.c:4557[EOL] tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539[EOL] tipc_exit_net+0x8c/0x110 net/tipc/core.c:119[EOL] ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173[EOL] cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640[EOL] process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231[EOL][EOL]After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done[EOL]may still visit it in cryptd_queue_worker workqueue.[EOL][EOL]I reproduce this issue by:[EOL] ip netns add ns1[EOL] ip link add veth1 type veth peer name veth2[EOL] ip link set veth1 netns ns1[EOL] ip netns exec ns1 tipc bearer enable media eth dev veth1[EOL] ip netns exec ns1 tipc node set key this_is_a_master_key master[EOL] ip netns exec ns1 tipc bearer disable media eth dev veth1[EOL] ip netns del ns1[EOL][EOL]The key of reproduction is that, simd_aead_encrypt is interrupted, leading[EOL]to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is[EOL]triggered, and the tipc_crypto tx will be visited.[EOL][EOL] tipc_disc_timeout[EOL] tipc_bearer_xmit_skb[EOL] tipc_crypto_xmit[EOL] tipc_aead_encrypt[EOL] crypto_aead_encrypt[EOL] // encrypt()[EOL] simd_aead_encrypt[EOL] // crypto_simd_usable() is false[EOL] child = &ctx->cryptd_tfm->base;[EOL][EOL] simd_aead_encrypt[EOL] crypto_aead_encrypt[EOL] // encrypt()[EOL] cryptd_aead_encrypt_enqueue[EOL] cryptd_aead_enqueue[EOL] cryptd_enqueue_request[EOL] // trigger cryptd_queue_worker[EOL] queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work)[EOL][EOL]Fix this by holding net reference count before encrypt.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38052 (https://nvd.nist.gov/vuln/detail/CVE-2025-38052)
