Wind River Support Network

HomeDefectsLIN1022-16820
Fixed

LIN1022-16820 : Security Advisory - linux - CVE-2025-38443

Created: Jul 28, 2025    Updated: Aug 28, 2025
Resolved Date: Aug 28, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]nbd: fix uaf in nbd_genl_connect() error path[EOL][EOL]There is a use-after-free issue in nbd:[EOL][EOL]block nbd6: Receive control failed (result -104)[EOL]block nbd6: shutting down sockets[EOL]==================================================================[EOL]BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022[EOL]Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67[EOL][EOL]CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full)[EOL]Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014[EOL]Workqueue: nbd6-recv recv_work[EOL]Call Trace:[EOL] <TASK>[EOL] __dump_stack lib/dump_stack.c:94 [inline][EOL] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120[EOL] print_address_description mm/kasan/report.c:408 [inline][EOL] print_report+0xc3/0x670 mm/kasan/report.c:521[EOL] kasan_report+0xe0/0x110 mm/kasan/report.c:634[EOL] check_region_inline mm/kasan/generic.c:183 [inline][EOL] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189[EOL] instrument_atomic_read_write include/linux/instrumented.h:96 [inline][EOL] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline][EOL] recv_work+0x694/0xa80 drivers/block/nbd.c:1022[EOL] process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238[EOL] process_scheduled_works kernel/workqueue.c:3319 [inline][EOL] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400[EOL] kthread+0x3c2/0x780 kernel/kthread.c:464[EOL] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153[EOL] ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245[EOL] </TASK>[EOL][EOL]nbd_genl_connect() does not properly stop the device on certain[EOL]error paths after nbd_start_device() has been called. This causes[EOL]the error path to put nbd->config while recv_work continue to use[EOL]the config after putting it, leading to use-after-free in recv_work.[EOL][EOL]This patch moves nbd_start_device() after the backend file creation.

CREATE(Triage):(User=admin) [CVE-2025-38443 (https://nvd.nist.gov/vuln/detail/CVE-2025-38443)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube