GHSA-5GW7-G26R-R6WH

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-02 09:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()

The ieee80211 skb control block key (set when skb was queued) could have been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue() already called ieee80211_tx_h_select_key() to get the current key, but the latter do not update the key in skb control block in case it is NULL. Because some drivers actually use this key in their TX callbacks (e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free below:

BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440

CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2 Hardware name: HW (DT) Workqueue: bat_events batadv_send_outstanding_bcast_packet Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x58/0x74 print_report+0x164/0x4c0 kasan_report+0xac/0xe8 __asan_report_load4_noabort+0x1c/0x24 ath11k_mac_op_tx+0x590/0x61c ieee80211_handle_wake_tx_queue+0x12c/0x1c8 ieee80211_queue_skb+0xdcc/0x1b4c ieee80211_tx+0x1ec/0x2bc ieee80211_xmit+0x224/0x324 __ieee80211_subif_start_xmit+0x85c/0xcf8 ieee80211_subif_start_xmit+0xc0/0xec4 dev_hard_start_xmit+0xf4/0x28c __dev_queue_xmit+0x6ac/0x318c batadv_send_skb_packet+0x38c/0x4b0 batadv_send_outstanding_bcast_packet+0x110/0x328 process_one_work+0x578/0xc10 worker_thread+0x4bc/0xc7c kthread+0x2f8/0x380 ret_from_fork+0x10/0x20

Allocated by task 1906: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_alloc_info+0x3c/0x4c __kasan_kmalloc+0xac/0xb0 __kmalloc_noprof+0x1b4/0x380 ieee80211_key_alloc+0x3c/0xb64 ieee80211_add_key+0x1b4/0x71c nl80211_new_key+0x2b4/0x5d8 genl_family_rcv_msg_doit+0x198/0x240 <...>

Freed by task 1494: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_free_info+0x48/0x94 __kasan_slab_free+0x48/0x60 kfree+0xc8/0x31c kfree_sensitive+0x70/0x80 ieee80211_key_free_common+0x10c/0x174 ieee80211_free_keys+0x188/0x46c ieee80211_stop_mesh+0x70/0x2cc ieee80211_leave_mesh+0x1c/0x60 cfg80211_leave_mesh+0xe0/0x280 cfg80211_leave+0x1e0/0x244 <...>

Reset SKB control block key before calling ieee80211_tx_h_select_key() to avoid that.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-37795"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T14:15:44Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Update skb\u0027s control block key in ieee80211_tx_dequeue()\n\nThe ieee80211 skb control block key (set when skb was queued) could have\nbeen removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()\nalready called ieee80211_tx_h_select_key() to get the current key, but\nthe latter do not update the key in skb control block in case it is\nNULL. Because some drivers actually use this key in their TX callbacks\n(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free\nbelow:\n\n  BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c\n  Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440\n\n  CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2\n  Hardware name: HW (DT)\n  Workqueue: bat_events batadv_send_outstanding_bcast_packet\n  Call trace:\n   show_stack+0x14/0x1c (C)\n   dump_stack_lvl+0x58/0x74\n   print_report+0x164/0x4c0\n   kasan_report+0xac/0xe8\n   __asan_report_load4_noabort+0x1c/0x24\n   ath11k_mac_op_tx+0x590/0x61c\n   ieee80211_handle_wake_tx_queue+0x12c/0x1c8\n   ieee80211_queue_skb+0xdcc/0x1b4c\n   ieee80211_tx+0x1ec/0x2bc\n   ieee80211_xmit+0x224/0x324\n   __ieee80211_subif_start_xmit+0x85c/0xcf8\n   ieee80211_subif_start_xmit+0xc0/0xec4\n   dev_hard_start_xmit+0xf4/0x28c\n   __dev_queue_xmit+0x6ac/0x318c\n   batadv_send_skb_packet+0x38c/0x4b0\n   batadv_send_outstanding_bcast_packet+0x110/0x328\n   process_one_work+0x578/0xc10\n   worker_thread+0x4bc/0xc7c\n   kthread+0x2f8/0x380\n   ret_from_fork+0x10/0x20\n\n  Allocated by task 1906:\n   kasan_save_stack+0x28/0x4c\n   kasan_save_track+0x1c/0x40\n   kasan_save_alloc_info+0x3c/0x4c\n   __kasan_kmalloc+0xac/0xb0\n   __kmalloc_noprof+0x1b4/0x380\n   ieee80211_key_alloc+0x3c/0xb64\n   ieee80211_add_key+0x1b4/0x71c\n   nl80211_new_key+0x2b4/0x5d8\n   genl_family_rcv_msg_doit+0x198/0x240\n  \u003c...\u003e\n\n  Freed by task 1494:\n   kasan_save_stack+0x28/0x4c\n   kasan_save_track+0x1c/0x40\n   kasan_save_free_info+0x48/0x94\n   __kasan_slab_free+0x48/0x60\n   kfree+0xc8/0x31c\n   kfree_sensitive+0x70/0x80\n   ieee80211_key_free_common+0x10c/0x174\n   ieee80211_free_keys+0x188/0x46c\n   ieee80211_stop_mesh+0x70/0x2cc\n   ieee80211_leave_mesh+0x1c/0x60\n   cfg80211_leave_mesh+0xe0/0x280\n   cfg80211_leave+0x1e0/0x244\n  \u003c...\u003e\n\nReset SKB control block key before calling ieee80211_tx_h_select_key()\nto avoid that.",
  "id": "GHSA-5gw7-g26r-r6wh",
  "modified": "2025-05-02T09:30:35Z",
  "published": "2025-05-01T15:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37795"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0cbd747f343c28d911443dd4174820600cc0d952"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/159499c1341f66a71d985e9b79f2131e88d1c646"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47fe322fb4e000f3bb89c2b370a15f3dfdfb9109"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7fa75affe2a97abface2b0d9b95e15728967dda7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d00c0a807a3bb7d8fadcd6c26f95f207ab0ce15"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a104042e2bf6528199adb6ca901efe7b60c2c27f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a167a2833d3f862e800cc23067b21ff1df3a1085"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bb5c4347d50410e3b262c1dd4081e36aa06826f8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.