{"uuid": "fd7047a3-8c71-4cc8-a7c4-9732868e67c1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21652", "type": "seen", "source": "https://t.me/cvedetector/15841", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-21652 - In the Linux kernel, the following vulnerability h\", \n  \"Content\": \"CVE ID : CVE-2025-21652 \nPublished : Jan. 19, 2025, 11:15 a.m. | 45\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nipvlan: Fix use-after-free in ipvlan_get_iflink().  \n  \nsyzbot presented an use-after-free report [0] regarding ipvlan and  \nlinkwatch.  \n  \nipvlan does not hold a refcnt of the lower device unlike vlan and  \nmacvlan.  \n  \nIf the linkwatch work is triggered for the ipvlan dev, the lower dev  \nmight have already been freed, resulting in UAF of ipvlan->phy_dev in  \nipvlan_get_iflink().  \n  \nWe can delay the lower dev unregistration like vlan and macvlan by  \nholding the lower dev's refcnt in dev->netdev_ops->ndo_init() and  \nreleasing it in dev->priv_destructor().  \n  \nJakub pointed out calling .ndo_XXX after unregister_netdevice() has  \nreturned is error prone and suggested [1] addressing this UAF in the  \ncore by taking commit 750e51603395 (\"net: avoid potential UAF in  \ndefault_operstate()\") further.  \n  \nLet's assume unregistering devices DOWN and use RCU protection in  \ndefault_operstate() not to race with the device unregistration.  \n  \n[0]:  \nBUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353  \nRead of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944  \n  \nCPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47  \nHardware name: linux,dummy-virt (DT)  \nWorkqueue: events_unbound linkwatch_event  \nCall trace:  \n show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C)  \n __dump_stack lib/dump_stack.c:94 [inline]  \n dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120  \n print_address_description mm/kasan/report.c:378 [inline]  \n print_report+0x16c/0x6f0 mm/kasan/report.c:489  \n kasan_report+0xc0/0x120 mm/kasan/report.c:602  \n __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380  \n ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353  \n dev_get_iflink+0x7c/0xd8 net/core/dev.c:674  \n default_operstate net/core/link_watch.c:45 [inline]  \n rfc2863_policy+0x144/0x360 net/core/link_watch.c:72  \n linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175  \n __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239  \n linkwatch_event+0x64/0xa8 net/core/link_watch.c:282  \n process_one_work+0x700/0x1398 kernel/workqueue.c:3229  \n process_scheduled_works kernel/workqueue.c:3310 [inline]  \n worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391  \n kthread+0x2b0/0x360 kernel/kthread.c:389  \n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862  \n  \nAllocated by task 9303:  \n kasan_save_stack mm/kasan/common.c:47 [inline]  \n kasan_save_track+0x30/0x68 mm/kasan/common.c:68  \n kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568  \n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]  \n __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394  \n kasan_kmalloc include/linux/kasan.h:260 [inline]  \n __do_kmalloc_node mm/slub.c:4283 [inline]  \n __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289  \n __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650  \n alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209  \n rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595  \n rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771  \n __rtnl_newlink net/core/rtnetlink.c:3896 [inline]  \n rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011  \n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901  \n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542  \n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928  \n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]  \n netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347  \n netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891  \n sock_sendmsg_nosec net/socket.c:711 [inline]  \n __sock_sendmsg net/socket.c:726 [inline]  \n __sys_sendto+0x2ec/0x438 net/socket.c:2197  \n __do_sys_sendto net/socket.c:2204 [inline]  \n __se_sys_sendto[...]", "creation_timestamp": "2025-01-19T13:07:29.000000Z"}