CVE-2025-38051 smb: client: Fix use-after-free in cifs_fill_dirent
Issue
- What is https://access.redhat.com/security/cve/cve-2025-38051?
- kernel panic with logs:
[3674886.410113] CIFS: VFS: \\a.b.c.d.e Send error in SessSetup = -11
[3674886.418707] CIFS: VFS: \\a.b.c.d.e Send error in SessSetup = -11
[3674886.425651] CIFS: VFS: \\a.b.c.d.e Send error in SessSetup = -11
[3674886.566786] CIFS: VFS: \\a.b.c.d.e Send error in SessSetup = -11
[3674886.577885] CIFS: VFS: \\a.b.c.d.e Send error in SessSetup = -11
[3674886.577913] BUG: unable to handle page fault for address: ffabf17ab964a1c8
[3674886.577918] #PF: supervisor read access in kernel mode
[3674886.577919] #PF: error_code(0x0000) - not-present page
[3674886.577921] PGD 20ffdbd067 P4D 0
[3674886.577923] Oops: 0000 [#1] PREEMPT SMP NOPTI
[3674886.577926] CPU: 5 PID: 3135717 Comm: oracle_3135717_ Kdump: loaded Not tainted 5.14.0-570.58.1.el9_6.x86_64 #1
[3674886.577928] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 08/23/2024
[3674886.577929] RIP: 0010:kmem_cache_free+0x62/0x420
[3674886.577934] Code: f4 0f 82 bc 03 00 00 48 c7 c0 00 00 00 80 45 31 ed 48 2b 05 88 4b 35 01 4c 01 e0 48 c1 e8 0c 48 c1 e0 06 48 03 05 66 4b 35 01 <48> 8b 48 08 f6 c1 01 0f 85 e8 02 00 00 0f 1f 44 00 00 48 8b 08 80
[3674886.577935] RSP: 0018:ff648f7b592878d0 EFLAGS: 00010286
[3674886.577937] RAX: ffabf17ab964a1c0 RBX: ff648f7b59287b10 RCX: ff45963644b98000
[3674886.577938] RDX: ff459634d4ddf300 RSI: ff648f7b59287b10 RDI: ff459634d4ddf300
[3674886.577939] RBP: ff648f7b59287920 R08: ff648f7b59287b10 R09: 00000000ffffff90
[3674886.577940] R10: 0000000000000088 R11: 0000000000000000 R12: ff648f7bd9287b10
[3674886.577941] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000ffffff90
[3674886.577942] FS: 00007fba78095400(0000) GS:ff45963d7f940000(0000) knlGS:0000000000000000
[3674886.577944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[3674886.577945] CR2: ffabf17ab964a1c8 CR3: 000000037ba08003 CR4: 0000000000373ef0
[3674886.577947] Call Trace:
[3674886.577949] <TASK>
[3674886.577950] ? show_trace_log_lvl+0x1c4/0x2df
[3674886.577955] ? show_trace_log_lvl+0x1c4/0x2df
[3674886.577960] ? cifs_small_buf_release+0x16/0x70 [cifs]
[3674886.578091] ? __die_body.cold+0x8/0xd
[3674886.578093] ? page_fault_oops+0x134/0x170
[3674886.578097] ? kernelmode_fixup_or_oops+0x84/0x110
[3674886.578100] ? exc_page_fault+0xa8/0x150
[3674886.578105] ? asm_exc_page_fault+0x22/0x30
[3674886.578110] ? kmem_cache_free+0x62/0x420
[3674886.578112] cifs_small_buf_release+0x16/0x70 [cifs]
[3674886.578207] SMB2_open_free+0x1f/0x60 [cifs]
[3674886.578312] smb2_unlink+0x3c5/0x450 [cifs]
[3674886.578414] ? avc_has_perm_noaudit+0x94/0x110
[3674886.578419] ? mntput_no_expire+0x4a/0x250
[3674886.578423] ? avc_has_perm_noaudit+0x94/0x110
[3674886.578425] ? __dentry_path+0xda/0x130
[3674886.578428] ? dentry_path_raw+0x4a/0x70
[3674886.578430] ? _raw_spin_unlock+0xa/0x30
[3674886.578433] ? cifs_close_deferred_file_under_dentry+0x138/0x1c0 [cifs]
[3674886.578531] ? __build_path_from_dentry_optional_prefix+0x85/0x250 [cifs]
[3674886.578653] ? __cifs_unlink+0x4df/0x910 [cifs]
[3674886.578755] __cifs_unlink+0x4df/0x910 [cifs]
[3674886.578849] vfs_unlink+0x117/0x290
[3674886.578851] do_unlinkat+0x1af/0x2e0
[3674886.578855] __x64_sys_unlink+0x3e/0x60
[3674886.578857] ? __x64_sys_unlink+0x5/0x60
[3674886.578859] osnoise_arch_unregister+0x210/0x210
[3674886.578862] ? syscall_exit_to_user_mode+0x19/0x40
[3674886.578864] ? do_syscall_64+0x6b/0xe0
[3674886.578866] ? syscall_exit_work+0x103/0x130
[3674886.578869] ? syscall_exit_to_user_mode+0x19/0x40
[3674886.578870] ? do_syscall_64+0x6b/0xe0
[3674886.578871] ? do_filp_open+0xb2/0x160
[3674886.578874] ? __check_object_size.part.0+0x47/0xd0
[3674886.578878] ? do_sys_openat2+0x81/0xd0
[3674886.578882] ? syscall_exit_to_user_mode+0x19/0x40
[3674886.578883] ? syscall_exit_work+0x103/0x130
[3674886.578884] ? syscall_exit_to_user_mode+0x19/0x40
[3674886.578885] ? do_syscall_64+0x6b/0xe0
[3674886.578887] ? syscall_exit_work+0x103/0x130
[3674886.578888] ? syscall_exit_to_user_mode+0x19/0x40
[3674886.578889] ? do_syscall_64+0x6b/0xe0
[3674886.578890] entry_SYSCALL_64_after_hwframe+0x78/0x80
[3674886.578894] RIP: 0033:0x7fba736ff88b
[3674886.578896] Code: f0 ff ff 73 01 c3 48 8b 0d 8a 95 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5d 95 0f 00 f7 d8 64 89 01 48
[3674886.578897] RSP: 002b:00007fff6bde1568 EFLAGS: 00000202 ORIG_RAX: 0000000000000057
[3674886.578899] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fba736ff88b
[3674886.578900] RDX: 00007fff6bde1978 RSI: 00007fff6bde1978 RDI: 00007fff6bde1771
[3674886.578901] RBP: 00007fff6bde1a30 R08: 0000000000000001 R09: 00007fff6bde1771
[3674886.578902] R10: 00007fba7360b1f8 R11: 0000000000000202 R12: 00007fba78095400
[3674886.578903] R13: 00007fba78050700 R14: 00007fff6bde1a48 R15: 0000000000000000
[3674886.578905] </TASK>
[3674886.578906] Modules linked in: nls_utf8 rpcsec_gss_krb5 auth_rpcgss cifs nfsv4 nfs cifs_arc4 rdma_cm iw_cm lockd grace ib_cm fscache cifs_md4 dns_resolver netfs rfkill sunrpc binfmt_misc xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_owner nft_counter nft_compat nf_tables nfnetlink vfat ext4 fat mbcache jbd2 intel_rapl_msr intel_rapl_common intel_uncore_frequency_common isst_if_common nfit libnvdimm mlx5_ib kvm_intel ib_uverbs macsec hyperv_drm kvm ib_core drm_shmem_helper drm_kms_helper rapl pcspkr hv_utils hv_balloon joydev drm fuse xfs libcrc32c mlx5_core mlxfw tls psample pci_hyperv pci_hyperv_intf sd_mod sg hv_storvsc hv_netvsc serio_raw scsi_transport_fc hid_hyperv hyperv_keyboard crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod
[3674886.578946] CR2: ffabf17ab964a1c8
[3674886.585159] CIFS: VFS: \\sausw3prddbsrvrmanbkp.file.core.windows.net Send error in SessSetup = -11
[3674886.586033] ---[ end trace 0000000000000000 ]---
[3674886.586035] RIP: 0010:kmem_cache_free+0x62/0x420
[3674886.586039] Code: f4 0f 82 bc 03 00 00 48 c7 c0 00 00 00 80 45 31 ed 48 2b 05 88 4b 35 01 4c 01 e0 48 c1 e8 0c 48 c1 e0 06 48 03 05 66 4b 35 01 <48> 8b 48 08 f6 c1 01 0f 85 e8 02 00 00 0f 1f 44 00 00 48 8b 08 80
[3674886.586040] RSP: 0018:ff648f7b592878d0 EFLAGS: 00010286
[3674886.586041] RAX: ffabf17ab964a1c0 RBX: ff648f7b59287b10 RCX: ff45963644b98000
[3674886.586043] RDX: ff459634d4ddf300 RSI: ff648f7b59287b10 RDI: ff459634d4ddf300
[3674886.588277] RBP: ff648f7b59287920 R08: ff648f7b59287b10 R09: 00000000ffffff90
[3674886.588524] R10: 0000000000000088 R11: 0000000000000000 R12: ff648f7bd9287b10
[3674886.588795] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000ffffff90
[3674886.589048] FS: 00007fba78095400(0000) GS:ff45963d7f940000(0000) knlGS:0000000000000000
[3674886.589304] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[3674886.589560] CR2: ffabf17ab964a1c8 CR3: 000000037ba08003 CR4: 0000000000373ef0
[3674886.589827] Kernel panic - not syncing: Fatal exception
[3674886.882710] Kernel Offset: 0x11400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
Environment
- Red Hat Enterprise Linux
cifs
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
