{ "threat_severity" : "Moderate", "public_date" : "2025-01-19T00:00:00Z", "bugzilla" : { "description" : "kernel: ipvlan: Fix use-after-free in ipvlan_get_iflink().", "id" : "2338821", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2338821" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipvlan: Fix use-after-free in ipvlan_get_iflink().\nsyzbot presented an use-after-free report [0] regarding ipvlan and\nlinkwatch.\nipvlan does not hold a refcnt of the lower device unlike vlan and\nmacvlan.\nIf the linkwatch work is triggered for the ipvlan dev, the lower dev\nmight have already been freed, resulting in UAF of ipvlan->phy_dev in\nipvlan_get_iflink().\nWe can delay the lower dev unregistration like vlan and macvlan by\nholding the lower dev's refcnt in dev->netdev_ops->ndo_init() and\nreleasing it in dev->priv_destructor().\nJakub pointed out calling .ndo_XXX after unregister_netdevice() has\nreturned is error prone and suggested [1] addressing this UAF in the\ncore by taking commit 750e51603395 (\"net: avoid potential UAF in\ndefault_operstate()\") further.\nLet's assume unregistering devices DOWN and use RCU protection in\ndefault_operstate() not to race with the device unregistration.\n[0]:\nBUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353\nRead of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944\nCPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47\nHardware name: linux,dummy-virt (DT)\nWorkqueue: events_unbound linkwatch_event\nCall trace:\nshow_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C)\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0x16c/0x6f0 mm/kasan/report.c:489\nkasan_report+0xc0/0x120 mm/kasan/report.c:602\n__asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380\nipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353\ndev_get_iflink+0x7c/0xd8 net/core/dev.c:674\ndefault_operstate net/core/link_watch.c:45 [inline]\nrfc2863_policy+0x144/0x360 net/core/link_watch.c:72\nlinkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175\n__linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239\nlinkwatch_event+0x64/0xa8 net/core/link_watch.c:282\nprocess_one_work+0x700/0x1398 kernel/workqueue.c:3229\nprocess_scheduled_works kernel/workqueue.c:3310 [inline]\nworker_thread+0x8c4/0xe10 kernel/workqueue.c:3391\nkthread+0x2b0/0x360 kernel/kthread.c:389\nret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862\nAllocated by task 9303:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x30/0x68 mm/kasan/common.c:68\nkasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__do_kmalloc_node mm/slub.c:4283 [inline]\n__kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289\n__kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650\nalloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209\nrtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595\nrtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771\n__rtnl_newlink net/core/rtnetlink.c:3896 [inline]\nrtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011\nrtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901\nnetlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542\nrtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928\nnetlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\nnetlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347\nnetlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891\nsock_sendmsg_nosec net/socket.c:711 [inline]\n__sock_sendmsg net/socket.c:726 [inline]\n__sys_sendto+0x2ec/0x438 net/socket.c:2197\n__do_sys_sendto net/socket.c:2204 [inline]\n__se_sys_sendto net/socket.c:2200 [inline]\n__arm64_sys_sendto+0xe4/0x110 net/socket.c:2200\n__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\ninvoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\nel0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\ndo_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\nel\n---truncated---" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20095", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.8.1.el10_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21652\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21652\nhttps://lore.kernel.org/linux-cve-announce/2025011947-CVE-2025-21652-95d7@gregkh/T" ], "name" : "CVE-2025-21652", "csaw" : false }