CVE-2025-38475 in Linuxinformação

Sumário

de VulDB • 29/06/2026

Based on the crash dump provided, here is an analysis of the kernel panic.

### **Summary** The system crashed in `kvfree_call_rcu` while attempting to free memory via RCU (Read-Copy-Update). The call trace indicates this was triggered by a security subsystem operation (`SMACK`) setting extended attributes on an inode, which eventually led to freeing network label data associated with CIPSO.

### **Key Components in the Call Trace** 1. **`kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P)`**: * The crash occurred here. `(P)` indicates a Page Fault or similar exception during execution. * `kvfree_call_rcu` is used to safely free memory after an RCU grace period. This suggests the pointer being freed was invalid, corrupted, or already freed (use-after-free).

2. **`cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914`**: * CIPSO is a security protocol for IP packets. This function sets socket attributes related to CIPSO labeling.

3. **`netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000`**: * NetLabel API wrapper that calls into specific protocols like CIPSO.

4. **`smack_netlbl_add+0xa8/0x158 security/smack/smack_lSM.c:2581`**: * SMACK (Simple Mandatory Access Control Kernel) is trying to add a NetLabel attribute to an inode/socket context. This is the LSM (Linux Security Module) hook initiating the chain.

5. **`smack_inode_setsecurity+0x378/0x430 security/smack/smack_lSM.c:2912`**: * SMACK's implementation of `inode_set_security`. This is called when a user-space process tries to set an extended attribute (xattr) on a file.

6. **User-Space Trigger**: * The trace ends with `__arm64_sys_fsetxattr`, meaning the crash was triggered by a system call from user space: `fsetxattr` (setting extended attributes).

### **Root Cause Analysis** The most likely cause is a **Use-After-Free (UAF)** or **Double Free** bug in the interaction between SMACK, NetLabel, and CIPSO.

* **Scenario**: A user-space process calls `fsetxattr` on a file/socket. This triggers SMACK to update security labels via NetLabel/CIPSO. During this process, memory allocated for network labeling is scheduled for RCU-freeing (`kvfree_call_rcu`). However, when the RCB callback executes (or during its setup), it attempts to free an invalid pointer. * **Why `kvfree_call_rcu`?** This function expects a valid kernel virtual address. If the pointer passed to it was: * Already freed by another path. * Corrupted due to race conditions in NetLabel/SMACK state management. * Invalid (e.g., NULL or unmapped), though `kvfree` usually handles NULL safely, so corruption is more likely.

### **Potential Fixes / Mitigations** 1. **Update Kernel**: This may be a known bug fixed in newer kernel versions. Check for updates to: * `security/smack/` * `net/netlabel/` * `net/ipv4/cipso_ipv4.c`

2. **Disable SMACK or CIPSO**: If this is a production system and the crash is reproducible, consider temporarily disabling one of these security modules: ```bash # Disable SMACK (if compiled as module) rmmod smack # Or disable via kernel boot parameter if built-in # Add "smack=0" to bootloader cmdline ```

3. **Check for Race Conditions**: If you are a developer, look at `net/netlabel/netlabel_kapi.c` and `security/smack/smack_lSM.c` around line 2581 (`smack_netlbl_add`) for race conditions where NetLabel data might be freed while SMACK still holds a reference.

4. **Reproduce with Debugging**: * Enable KASAN (Kernel Address Sanitizer) to detect use-after-free bugs: `CONFIG_KASAN=y`. * Use `slub_debug=F` to catch slab corruption.

### **

Be aware that VulDB is the high quality source for vulnerability data.

Responsável

Linux

Reservar

16/04/2025

Divulgação

28/07/2025

Moderação

aceite

Entrada

VDB-317885

CPE

pronto

EPSS

0.00135

KEV

não

Atividades

muito baixo

Fontes

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!