Acknowledged
Created: Aug 24, 2025
Updated: Aug 26, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net: appletalk: Fix use-after-free in AARP proxy probe[EOL][EOL]The AARP proxyâ\x80\x90probe routine (aarp_proxy_probe_network) sends a probe,[EOL]releases the aarp_lock, sleeps, then re-acquires the lock. During that[EOL]window an expire timer thread (__aarp_expire_timer) can remove and[EOL]kfree() the same entry, leading to a use-after-free.[EOL][EOL]race condition:[EOL][EOL] cpu 0 ( cpu 1[EOL) atalk_sendmsg() | atif_proxy_probe_device()EOL] aarp_send_ddp() ( aarp_proxy_probe_network()[EOL) mod_timer() | lock(aarp_lock) // LOCK!!EOL] timeout around 200ms ( alloc(aarp_entry)[EOL) and then call | proxieshash] = aarp_entry[EOL] aarp_expire_timeout() ( aarp_send_probe()[EOL) | unlock(aarp_lock) // UNLOCK!!EOL] lock(aarp_lock) // LOCK!! ( msleep(100);[EOL) __aarp_expire_timer(&proxiesct]) ([EOL) free(aarp_entry) |EOL] unlock(aarp_lock) // UNLOCK!! ([EOL) | lock(aarp_lock) // LOCK!!EOL] ( UAF aarp_entry !![EOL)EOL]==================================================================[EOL]BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493[EOL]Read of size 4 at addr ffff8880123aa360 by task repro/13278[EOL][EOL]CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)[EOL]Call Trace:[EOL] <TASK>[EOL] __dump_stack lib/dump_stack.c:94 [inline][EOL] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120[EOL] print_address_description mm/kasan/report.c:408 [inline][EOL] print_report+0xc1/0x630 mm/kasan/report.c:521[EOL] kasan_report+0xca/0x100 mm/kasan/report.c:634[EOL] aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493[EOL] atif_proxy_probe_device net/appletalk/ddp.c:332 [inline][EOL] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857[EOL] atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818[EOL] sock_do_ioctl+0xdc/0x260 net/socket.c:1190[EOL] sock_ioctl+0x239/0x6a0 net/socket.c:1311[EOL] vfs_ioctl fs/ioctl.c:51 [inline][EOL] __do_sys_ioctl fs/ioctl.c:906 [inline][EOL] __se_sys_ioctl fs/ioctl.c:892 [inline][EOL] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892[EOL] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline][EOL] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL] </TASK>[EOL][EOL]Allocated:[EOL] aarp_alloc net/appletalk/aarp.c:382 [inline][EOL] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468[EOL] atif_proxy_probe_device net/appletalk/ddp.c:332 [inline][EOL] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857[EOL] atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818[EOL][EOL]Freed:[EOL] kfree+0x148/0x4d0 mm/slub.c:4841[EOL] __aarp_expire net/appletalk/aarp.c:90 [inline][EOL] __aarp_expire_timer net/appletalk/aarp.c:261 [inline][EOL] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317[EOL][EOL]The buggy address belongs to the object at ffff8880123aa300[EOL] which belongs to the cache kmalloc-192 of size 192[EOL]The buggy address is located 96 bytes inside of[EOL] freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)[EOL][EOL]Memory state around the buggy address:[EOL] ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[EOL] ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc[EOL]>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL] ^[EOL] ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc[EOL] ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[EOL]==================================================================
CREATE(Triage):(User=pbi-cn) [CVE-2025-38666 (https://nvd.nist.gov/vuln/detail/CVE-2025-38666)
