CVE-2025-38019 Information
Description
In the Linux kernel the following vulnerability has been resolved:
mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices
The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices:
ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP
(Note that the neighbor is not marked with ‘offload’)
When the driver is reloaded and the existing configuration is replayed the driver does not perform the same check regarding existing neighbors and offloads the previously added one:
devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP
If the neighbor is later deleted the driver will ignore the notification (given the GRE net device is not its upper) and will therefore keep referencing freed memory resulting in a use-after-free [1] when the net device is deleted:
ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 ip link del dev gre1
Fix by skipping neighbor replay if the net device for which the replay is performed is not our upper.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200
Read of size 8 at addr ffff888155b0e420 by task ip/2282
[…]
Call Trace:
Reference
https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06 https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7 https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578
Related CNNVD
CNNVD-202506-2154 (Published: 2025-06-18)
Share on: