[LTP] [PATCH v3] cve: add CVE-2025-38236 test

[LTP] [PATCH v3] cve: add CVE-2025-38236 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Test for CVE-2025-38236 fixed in kernel v6.16-rc4:
32ca245464e1 ("af_unix: Don't leave consecutive consumed OOB skbs").

The bug is triggered by sending multiple out-of-band data to a socket and
reading it back from it. According to the MSG_OOB implementation, this
shouldn't be possible. When system is affected by CVE-2025-38236, instead,
skb queue holds MSG_OOB data, breaking recv() and causing a use-after-free
condition.

Even if MSG_OOB is mostly used inside Oracle's product, it is enabled by
default in linux kernel via CONFIG_AF_UNIX_OOB. This is accessible via
Chrome's renderer sandbox, which might cause an attacker to escalate and to
obtain privileges in the system.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Changes in v3:
- remove return
- add tag reference in the description and commit log
- Link to v2: https://lore.kernel.org/r/20250812-cve_2025_38236-v2-1-76abeeaeaee6@suse.com

Changes in v2:
- use MSG_DONTWAIT
- add reference in the description
- reduce if/else nesting
- use different data for send()
- Link to v1: https://lore.kernel.org/r/20250812-cve_2025_38236-v1-1-e3617ada69c6@suse.com
---
 runtest/cve                    |   1 +
 testcases/cve/.gitignore       |   1 +
 testcases/cve/cve-2025-38236.c | 100 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 102 insertions(+)

diff --git a/runtest/cve b/runtest/cve
index 1d1d875974f0ce545005faedb78125d33ec7c989..6d575aa2165bcd46e5ca36a07db33f69a91bd94a 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -91,3 +91,4 @@ cve-2023-31248 nft02
 cve-2020-25704 perf_event_open03
 cve-2022-0185 fsconfig03
 cve-2022-4378 cve-2022-4378
+cve-2025-38236 cve-2025-38236
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 3a2b2bed619c99a592f51afe50b7196c593f1f45..8eb17ce56b01070e47917f9bb44cf146c0c5b338 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -13,3 +13,4 @@ cve-2017-17053
 cve-2022-4378
 icmp_rate_limit01
 tcindex01
+cve-2025-38236
diff --git a/testcases/cve/cve-2025-38236.c b/testcases/cve/cve-2025-38236.c
new file mode 100644
index 0000000000000000000000000000000000000000..16582fe6435005eb3b7741fa6b6d727d6b566320
--- /dev/null
+++ b/testcases/cve/cve-2025-38236.c
@@ -0,0 +1,100 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2025 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * Test for CVE-2025-38236 fixed in kernel v6.16-rc4:
+ * 32ca245464e1 ("af_unix: Don't leave consecutive consumed OOB skbs").
+ *
+ * The bug is triggered by sending multiple out-of-band data to a socket and
+ * reading it back from it. According to the MSG_OOB implementation, this
+ * shouldn't be possible. When system is affected by CVE-2025-38236, instead,
+ * skb queue holds MSG_OOB data, breaking recv() and causing a use-after-free
+ * condition.
+ *
+ * Even if MSG_OOB is mostly used inside Oracle's product, it is enabled by
+ * default in linux kernel via CONFIG_AF_UNIX_OOB. This is accessible via
+ * Chrome's renderer sandbox, which might cause an attacker to escalate and to
+ * obtain privileges in the system.
+ *
+ * Reproducer is based on:
+ * https://project-zero.issues.chromium.org/issues/423023990
+ */
+
+#include "tst_test.h"
+
+static char dummy;
+static int sock[2];
+
+static void run(void)
+{
+	int ret;
+
+	dummy = '\0';
+
+	tst_res(TINFO, "#1 send and receive out-of-band data");
+	SAFE_SEND(0, sock[1], "A", 1, MSG_OOB);
+	SAFE_RECV(0, sock[0], &dummy, 1, MSG_OOB);
+
+	tst_res(TINFO, "#2 send and receive out-of-band data");
+	SAFE_SEND(0, sock[1], "B", 1, MSG_OOB);
+	SAFE_RECV(0, sock[0], &dummy, 1, MSG_OOB);
+
+	tst_res(TINFO, "Send out-of-band data");
+	SAFE_SEND(0, sock[1], "C", 1, MSG_OOB);
+
+	tst_res(TINFO, "Receive data from normal stream");
+
+	ret = recv(sock[0], &dummy, 1, MSG_DONTWAIT);
+	if (ret == -1) {
+		if (errno == EWOULDBLOCK) {
+			tst_res(TPASS, "Can't read out-of-band data from normal stream");
+			return;
+		}
+
+		tst_brk(TBROK | TERRNO, "recv error");
+	}
+
+	const char *msg = "We are able to read out-of-band data from normal stream";
+
+	if (dummy == 'C') {
+		tst_res(TFAIL, "%s", msg);
+	} else {
+		tst_res(TFAIL, "%s, but data doesn't match: '%c' != 'A'",
+			msg, dummy);
+	}
+
+	SAFE_RECV(0, sock[0], &dummy, 1, MSG_OOB);
+
+	tst_res(TFAIL, "We are able to access data from skb queue (use-after-free)");
+}
+
+static void setup(void)
+{
+	SAFE_SOCKETPAIR(AF_UNIX, SOCK_STREAM, 0, sock);
+}
+
+static void cleanup(void)
+{
+	if (sock[0] != -1)
+		SAFE_CLOSE(sock[0]);
+
+	if (sock[1] != -1)
+		SAFE_CLOSE(sock[1]);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_AF_UNIX_OOB=y",
+		NULL
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "32ca245464e1"},
+		{"CVE", "2025-38236"},
+		{}
+	}
+};

---
base-commit: e2c58cfcb82be0b376098a67c8f45264282be67a
change-id: 20250812-cve_2025_38236-7cb0cd4fdbf5

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3] cve: add CVE-2025-38236 test

[Andrea Cervesato via ltp]

I can merge v3, should I add Reviewed-by tag for Cyril and Wei?

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3] cve: add CVE-2025-38236 test

[Petr Vorel]

Hi all,

> I can merge v3, should I add Reviewed-by tag for Cyril and Wei?

I asked Wei to fix leaking file descriptor (I even posted code which fixes it):
./ioctl11 -i2000
ioctl11.c:137: TBROK: open(/proc/self/maps,0,0000) failed: EMFILE (24)

This can be fixed before merge (although v4 is better).

I haven't looked at the new code yet (I'll try to do tomorrow). You don't have
to wait for me, but it would be good if somebody else (Cyril, Li) reviewed the
code before merge.

Kind regards,
Petr

> - Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3] cve: add CVE-2025-38236 test

[Cyril Hrubis]

Hi!
> ---
>  runtest/cve                    |   1 +

Usually syscall related CVEs are added to syscalls runtest as well. This
is something for the "let's generate runtest files" discussion though.


Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3] cve: add CVE-2025-38236 test

[Andrea Cervesato via ltp]

On 8/12/25 2:47 PM, Cyril Hrubis wrote:
> Hi!
>> ---
>>   runtest/cve                    |   1 +
> Usually syscall related CVEs are added to syscalls runtest as well. This
> is something for the "let's generate runtest files" discussion though.
>
>
> Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
>
Merged thanks!

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp