Bug 2397568 (CVE-2025-39873) - CVE-2025-39873 kernel: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
Summary: CVE-2025-39873 kernel: can: xilinx_can: xcan_write_frame(): fix use-after-fre...
Keywords:
Status: NEW
Alias: CVE-2025-39873
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-23 07:02 UTC by OSIDB Bzimport
Modified: 2025-09-23 17:13 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-23 07:02:23 UTC 
In the Linux kernel, the following vulnerability has been resolved:

can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB

can_put_echo_skb() takes ownership of the SKB and it may be freed
during or after the call.

However, xilinx_can xcan_write_frame() keeps using SKB after the call.

Fix that by only calling can_put_echo_skb() after the code is done
touching the SKB.

The tx_lock is held for the entire xcan_write_frame() execution and
also on the can_get_echo_skb() side so the order of operations does not
matter.

An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb
memory") did not move the can_put_echo_skb() call far enough.

[mkl: add "commit" in front of sha1 in patch description]
[mkl: fix indention]
Comment 1 Jon Moroney 2025-09-23 17:11:45 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025092300-CVE-2025-39873-94d3@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.