ghsa-3cpf-qphm-hqhv
Vulnerability from github
Published
2025-10-15 09:30
Modified
2025-10-15 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

net: tun: Update napi->skb after XDP process

The syzbot report a UAF issue:

BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline] BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline] BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758 Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079 CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 skb_reset_mac_header include/linux/skbuff.h:3150 [inline] napi_frags_skb net/core/gro.c:723 [inline] napi_gro_frags+0x6e/0x1030 net/core/gro.c:758 tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Allocated by task 6079: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:330 [inline] __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558 kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline] napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295 __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657 napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811 napi_get_frags+0x69/0x140 net/core/gro.c:673 tun_napi_alloc_frags drivers/net/tun.c:1404 [inline] tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6079: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2422 [inline] slab_free mm/slub.c:4695 [inline] kmem_cache_free+0x18f/0x400 mm/slub.c:4797 skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969 netif_skb_check_for_xdp net/core/dev.c:5390 [inline] netif_receive_generic_xdp net/core/dev.c:5431 [inline] do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499 tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

After commit e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in generic mode"), the original skb may be freed in skb_pp_cow_data() when XDP program was attached, which was allocated in tun_napi_alloc_frags(). However, the napi->skb still point to the original skb, update it after XDP process.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39984"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T08:15:36Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Update napi-\u003eskb after XDP process\n\nThe syzbot report a UAF issue:\n\n  BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]\n  BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]\n  BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758\n  Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079\n  CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n   print_address_description mm/kasan/report.c:378 [inline]\n   print_report+0xca/0x240 mm/kasan/report.c:482\n   kasan_report+0x118/0x150 mm/kasan/report.c:595\n   skb_reset_mac_header include/linux/skbuff.h:3150 [inline]\n   napi_frags_skb net/core/gro.c:723 [inline]\n   napi_gro_frags+0x6e/0x1030 net/core/gro.c:758\n   tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920\n   tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n   new_sync_write fs/read_write.c:593 [inline]\n   vfs_write+0x5c9/0xb30 fs/read_write.c:686\n   ksys_write+0x145/0x250 fs/read_write.c:738\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   \u003c/TASK\u003e\n\n  Allocated by task 6079:\n   kasan_save_stack mm/kasan/common.c:47 [inline]\n   kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n   unpoison_slab_object mm/kasan/common.c:330 [inline]\n   __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558\n   kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]\n   napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295\n   __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657\n   napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811\n   napi_get_frags+0x69/0x140 net/core/gro.c:673\n   tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]\n   tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784\n   tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n   new_sync_write fs/read_write.c:593 [inline]\n   vfs_write+0x5c9/0xb30 fs/read_write.c:686\n   ksys_write+0x145/0x250 fs/read_write.c:738\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Freed by task 6079:\n   kasan_save_stack mm/kasan/common.c:47 [inline]\n   kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n   kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n   poison_slab_object mm/kasan/common.c:243 [inline]\n   __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275\n   kasan_slab_free include/linux/kasan.h:233 [inline]\n   slab_free_hook mm/slub.c:2422 [inline]\n   slab_free mm/slub.c:4695 [inline]\n   kmem_cache_free+0x18f/0x400 mm/slub.c:4797\n   skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969\n   netif_skb_check_for_xdp net/core/dev.c:5390 [inline]\n   netif_receive_generic_xdp net/core/dev.c:5431 [inline]\n   do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499\n   tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872\n   tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n   new_sync_write fs/read_write.c:593 [inline]\n   vfs_write+0x5c9/0xb30 fs/read_write.c:686\n   ksys_write+0x145/0x250 fs/read_write.c:738\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nAfter commit e6d5dbdd20aa (\"xdp: add multi-buff support for xdp running in\ngeneric mode\"), the original skb may be freed in skb_pp_cow_data() when\nXDP program was attached, which was allocated in tun_napi_alloc_frags().\nHowever, the napi-\u003eskb still point to the original skb, update it after\nXDP process.",
  "id": "GHSA-3cpf-qphm-hqhv",
  "modified": "2025-10-15T09:30:17Z",
  "published": "2025-10-15T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39984"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1091860a16a86ccdd77c09f2b21a5f634f5ab9ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1697577e1669b0321d02cd848384a5d33e284296"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/953200d56fc23eebf80a5ad9eed6e2e8a3065093"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.