CVE-2025-38475 in Linux
Sumário
de VulDB • 29/06/2026
Based on the crash dump provided, here is an analysis of the kernel panic.
### **Summary** The system crashed in `kvfree_call_rcu` while attempting to free memory via RCU (Read-Copy-Update). The call trace indicates this was triggered by a security subsystem operation (`SMACK`) setting extended attributes on an inode, which eventually led to freeing network label data associated with CIPSO.
### **Key Components in the Call Trace** 1. **`kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P)`**: * The crash occurred here. `(P)` indicates a Page Fault or similar exception during execution. * `kvfree_call_rcu` is used to safely free memory after an RCU grace period. This suggests the pointer being freed was invalid, corrupted, or already freed (use-after-free).
2. **`cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914`**: * CIPSO is a security protocol for IP packets. This function sets socket attributes related to CIPSO labeling.
3. **`netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000`**: * NetLabel API wrapper that calls into specific protocols like CIPSO.
4. **`smack_netlbl_add+0xa8/0x158 security/smack/smack_lSM.c:2581`**: * SMACK (Simple Mandatory Access Control Kernel) is trying to add a NetLabel attribute to an inode/socket context. This is the LSM (Linux Security Module) hook initiating the chain.
5. **`smack_inode_setsecurity+0x378/0x430 security/smack/smack_lSM.c:2912`**: * SMACK's implementation of `inode_set_security`. This is called when a user-space process tries to set an extended attribute (xattr) on a file.
6. **User-Space Trigger**: * The trace ends with `__arm64_sys_fsetxattr`, meaning the crash was triggered by a system call from user space: `fsetxattr` (setting extended attributes).
### **Root Cause Analysis** The most likely cause is a **Use-After-Free (UAF)** or **Double Free** bug in the interaction between SMACK, NetLabel, and CIPSO.
* **Scenario**: A user-space process calls `fsetxattr` on a file/socket. This triggers SMACK to update security labels via NetLabel/CIPSO. During this process, memory allocated for network labeling is scheduled for RCU-freeing (`kvfree_call_rcu`). However, when the RCB callback executes (or during its setup), it attempts to free an invalid pointer. * **Why `kvfree_call_rcu`?** This function expects a valid kernel virtual address. If the pointer passed to it was: * Already freed by another path. * Corrupted due to race conditions in NetLabel/SMACK state management. * Invalid (e.g., NULL or unmapped), though `kvfree` usually handles NULL safely, so corruption is more likely.
### **Potential Fixes / Mitigations** 1. **Update Kernel**: This may be a known bug fixed in newer kernel versions. Check for updates to: * `security/smack/` * `net/netlabel/` * `net/ipv4/cipso_ipv4.c`
2. **Disable SMACK or CIPSO**: If this is a production system and the crash is reproducible, consider temporarily disabling one of these security modules: ```bash # Disable SMACK (if compiled as module) rmmod smack # Or disable via kernel boot parameter if built-in # Add "smack=0" to bootloader cmdline ```
3. **Check for Race Conditions**: If you are a developer, look at `net/netlabel/netlabel_kapi.c` and `security/smack/smack_lSM.c` around line 2581 (`smack_netlbl_add`) for race conditions where NetLabel data might be freed while SMACK still holds a reference.
4. **Reproduce with Debugging**: * Enable KASAN (Kernel Address Sanitizer) to detect use-after-free bugs: `CONFIG_KASAN=y`. * Use `slub_debug=F` to catch slab corruption.
### **
Be aware that VulDB is the high quality source for vulnerability data.