CVE-2025-38595

{"id": "CVE-2025-38595", "cveTags": [], "metrics": {}, "published": "2025-08-19T17:15:37.343", "references": [{"url": "https://git.kernel.org/stable/c/3edfd2353f301bfffd5ee41066e37320a59ccc2d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/532c8b51b3a8676cbf533a291f8156774f30ea87", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d59d49af4aeed9a81e673e37c26c6a3bacf1a181", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e5907885260401bba300d4d18d79875c05b82651", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: fix UAF in dmabuf_exp_from_pages()\n\n[dma_buf_fd() fixes; no preferences regarding the tree it goes through -\nup to xen folks]\n\nAs soon as we'd inserted a file reference into descriptor table, another\nthread could close it. That's fine for the case when all we are doing is\nreturning that descriptor to userland (it's a race, but it's a userland\nrace and there's nothing the kernel can do about it). However, if we\nfollow fd_install() with any kind of access to objects that would be\ndestroyed on close (be it the struct file itself or anything destroyed\nby its ->release()), we have a UAF.\n\ndma_buf_fd() is a combination of reserving a descriptor and fd_install().\ngntdev dmabuf_exp_from_pages() calls it and then proceeds to access the\nobjects destroyed on close - starting with gntdev_dmabuf itself.\n\nFix that by doing reserving descriptor before anything else and do\nfd_install() only when everything had been set up."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xen: correcci\u00f3n de UAF en dmabuf_exp_from_pages() [dma_buf_fd() corrige; no hay preferencias sobre el \u00e1rbol que recorre - depende de los usuarios de xen]. En cuanto insertamos una referencia a un archivo en la tabla de descriptores, otro hilo podr\u00eda cerrarla. Esto funciona bien cuando solo devolvemos ese descriptor al espacio de usuario (es una ejecuci\u00f3n, pero es una ejecuci\u00f3n de espacio de usuario y el kernel no puede hacer nada al respecto). Sin embargo, si despu\u00e9s de fd_install() accedemos a objetos que se destruir\u00edan al cerrar (ya sea el propio archivo de estructura o cualquier objeto destruido por su ->release()), tenemos un UAF. dma_buf_fd() combina la reserva de un descriptor con fd_install(). gntdev dmabuf_exp_from_pages() lo llama y procede a acceder a los objetos destruidos al cerrar, empezando por el propio gntdev_dmabuf. Arregle esto reservando el descriptor antes de cualquier otra cosa y ejecutando fd_install() solo cuando todo est\u00e9 configurado."}], "lastModified": "2025-08-20T14:40:17.713", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}