CVE-2025-38378

{"id": "CVE-2025-38378", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-07-25T13:15:26.917", "references": [{"url": "https://git.kernel.org/stable/c/38224c472a038fa9ccd4085511dd9f3d6119dbf9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/51720dee3a61ebace36c3dcdd0b4a488e0970f29", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\n\nIn probe appletb_kbd_probe() a \"struct appletb_kbd *kbd\" is allocated\nvia devm_kzalloc() to store touch bar keyboard related data.\nLater on if backlight_device_get_by_name() finds a backlight device\nwith name \"appletb_backlight\" a timer (kbd->inactivity_timer) is setup\nwith appletb_inactivity_timer() and the timer is armed to run after\nappletb_tb_dim_timeout (60) seconds.\n\nA use-after-free is triggered when failure occurs after the timer is\narmed. This ultimately means probe failure occurs and as a result the\n\"struct appletb_kbd *kbd\" which is device managed memory is freed.\nAfter 60 seconds the timer will have expired and __run_timers will\nattempt to access the timer (kbd->inactivity_timer) however the kdb\nstructure has been freed causing a use-after free.\n\n[ 71.636938] ==================================================================\n[ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890\n[ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0\n[ 71.637915]\n[ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary)\n[ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[ 71.637915] Call Trace:\n[ 71.637915] <IRQ>\n[ 71.637915] dump_stack_lvl+0x53/0x70\n[ 71.637915] print_report+0xce/0x670\n[ 71.637915] ? __run_timers+0x7ad/0x890\n[ 71.637915] kasan_report+0xce/0x100\n[ 71.637915] ? __run_timers+0x7ad/0x890\n[ 71.637915] __run_timers+0x7ad/0x890\n[ 71.637915] ? __pfx___run_timers+0x10/0x10\n[ 71.637915] ? update_process_times+0xfc/0x190\n[ 71.637915] ? __pfx_update_process_times+0x10/0x10\n[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0\n[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0\n[ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 71.637915] run_timer_softirq+0x141/0x240\n[ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10\n[ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10\n[ 71.637915] ? kvm_clock_get_cycles+0x18/0x30\n[ 71.637915] ? ktime_get+0x60/0x140\n[ 71.637915] handle_softirqs+0x1b8/0x5c0\n[ 71.637915] ? __pfx_handle_softirqs+0x10/0x10\n[ 71.637915] irq_exit_rcu+0xaf/0xe0\n[ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80\n[ 71.637915] </IRQ>\n[ 71.637915]\n[ 71.637915] Allocated by task 39:\n[ 71.637915] kasan_save_stack+0x33/0x60\n[ 71.637915] kasan_save_track+0x14/0x30\n[ 71.637915] __kasan_kmalloc+0x8f/0xa0\n[ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420\n[ 71.637915] devm_kmalloc+0x74/0x1e0\n[ 71.637915] appletb_kbd_probe+0x37/0x3c0\n[ 71.637915] hid_device_probe+0x2d1/0x680\n[ 71.637915] really_probe+0x1c3/0x690\n[ 71.637915] __driver_probe_device+0x247/0x300\n[ 71.637915] driver_probe_device+0x49/0x210\n[...]\n[ 71.637915]\n[ 71.637915] Freed by task 39:\n[ 71.637915] kasan_save_stack+0x33/0x60\n[ 71.637915] kasan_save_track+0x14/0x30\n[ 71.637915] kasan_save_free_info+0x3b/0x60\n[ 71.637915] __kasan_slab_free+0x37/0x50\n[ 71.637915] kfree+0xcf/0x360\n[ 71.637915] devres_release_group+0x1f8/0x3c0\n[ 71.637915] hid_device_probe+0x315/0x680\n[ 71.637915] really_probe+0x1c3/0x690\n[ 71.637915] __driver_probe_device+0x247/0x300\n[ 71.637915] driver_probe_device+0x49/0x210\n[...]\n\nThe root cause of the issue is that the timer is not disarmed\non failure paths leading to it remaining active and accessing\nfreed memory. To fix this call timer_delete_sync() to deactivate\nthe timer.\n\nAnother small issue is that timer_delete_sync is called\nunconditionally in appletb_kbd_remove(), fix this by checking\nfor a valid kbd->backlight_dev before calling timer_delete_sync."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: appletb-kbd: correcci\u00f3n de use-after-free de slab en appletb_kbd_probe. En la sonda appletb_kbd_probe(), se asigna una estructura \"struct appletb_kbd *kbd\" mediante devm_kzalloc() para almacenar datos relacionados con el teclado de la barra t\u00e1ctil. Posteriormente, si backlight_device_get_by_name() encuentra un dispositivo de retroiluminaci\u00f3n con el nombre \"appletb_backlight\", se configura un temporizador (kbd-&gt;inactivity_timer) con appletb_inactivity_timer() y se arma para que se ejecute despu\u00e9s de appletb_tb_dim_timeout (60) segundos. Se activa un uso tras liberaci\u00f3n cuando se produce un fallo despu\u00e9s de que el temporizador est\u00e9 armado. Esto, en \u00faltima instancia, significa que se produce un fallo en la sonda y, como resultado, se libera la estructura \"struct appletb_kbd *kbd\", que es la memoria administrada por el dispositivo. Despu\u00e9s de 60 segundos, el temporizador habr\u00e1 expirado y __run_timers intentar\u00e1 acceder al temporizador (kbd-&gt;inactivity_timer); sin embargo, la estructura kdb se habr\u00e1 liberado, lo que provocar\u00e1 un use-after-free. [ 71.636938] ================================================================== [ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890 [ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0 [ 71.637915] [ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary) [ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 71.637915] Call Trace: [ 71.637915] [ 71.637915] dump_stack_lvl+0x53/0x70 [ 71.637915] print_report+0xce/0x670 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] kasan_report+0xce/0x100 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] __run_timers+0x7ad/0x890 [ 71.637915] ? __pfx___run_timers+0x10/0x10 [ 71.637915] ? update_process_times+0xfc/0x190 [ 71.637915] ? __pfx_update_process_times+0x10/0x10 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 71.637915] run_timer_softirq+0x141/0x240 [ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10 [ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 71.637915] ? kvm_clock_get_cycles+0x18/0x30 [ 71.637915] ? ktime_get+0x60/0x140 [ 71.637915] handle_softirqs+0x1b8/0x5c0 [ 71.637915] ? __pfx_handle_softirqs+0x10/0x10 [ 71.637915] irq_exit_rcu+0xaf/0xe0 [ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80 [ 71.637915] [ 71.637915] [ 71.637915] Allocated by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] __kasan_kmalloc+0x8f/0xa0 [ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420 [ 71.637915] devm_kmalloc+0x74/0x1e0 [ 71.637915] appletb_kbd_probe+0x37/0x3c0 [ 71.637915] hid_device_probe+0x2d1/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] [ 71.637915] [ 71.637915] Freed by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] kasan_save_free_info+0x3b/0x60 [ 71.637915] __kasan_slab_free+0x37/0x50 [ 71.637915] kfree+0xcf/0x360 [ 71.637915] devres_release_group+0x1f8/0x3c0 [ 71.637915] hid_device_probe+0x315/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] La causa principal del problema es que el temporizador no se desactiva en rutas de fallo, lo que provoca que permanezca activo y acceda a la memoria liberada. Para solucionar esto, llame a timer_delete_sync() para desactivarlo. Otro peque\u00f1o problema es que timer_delete_sync se llama incondicionalmente en appletb_kbd_remove(). Para solucionarlo, compruebe si hay un `kbd-&gt;backlight_dev` v\u00e1lido antes de llamar a timer_delete_sync."}], "lastModified": "2025-11-19T20:05:17.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "575B7891-8019-4D0D-B284-1B8DA410C942", "versionEndExcluding": "6.15.6", "versionStartIncluding": "6.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0517869-312D-4429-80C2-561086E1421C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}