Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2025-38227

Description

In the Linux kernel, the following vulnerability has been resolved:media: vidtv: Terminating the subsequent process of initialization failuresyzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]After PSI initialization fails, the si member is accessed again, resultingin this uaf.After si initialization fails, the subsequent process needs to be exited.[1]BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0Hardware name: Google Compute Engine, BIOS Google 02/12/2025Call Trace:__dump_stack lib/dump_stack.c:94 [inline]dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120print_address_description mm/kasan/report.c:408 [inline]print_report+0xc3/0x670 mm/kasan/report.c:521kasan_report+0xd9/0x110 mm/kasan/report.c:634vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246__fput+0x3ff/0xb70 fs/file_table.c:464task_work_run+0x14e/0x250 kernel/task_work.c:227exit_task_work include/linux/task_work.h:40 [inline]do_exit+0xad8/0x2d70 kernel/exit.c:938do_group_exit+0xd3/0x2a0 kernel/exit.c:1087__do_sys_exit_group kernel/exit.c:1098 [inline]__se_sys_exit_group kernel/exit.c:1096 [inline]__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232do_syscall_x64 arch/x86/entry/common.c:52 [inline]do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f871d58d169Code: Unable to access opcode bytes at 0x7f871d58d13f.RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 Allocated by task 6059: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_tabl---truncated---

POC

Reference

No PoCs from references.

Github

- https://github.com/w4zu/Debian_security