[LTP] [PATCH v3] cve: add CVE-2025-38236 test

Andrea Cervesato andrea.cervesato@suse.de
Tue Aug 12 14:30:18 CEST 2025 

From: Andrea Cervesato <andrea.cervesato@suse.com>

Test for CVE-2025-38236 fixed in kernel v6.16-rc4:
32ca245464e1 ("af_unix: Don't leave consecutive consumed OOB skbs").

The bug is triggered by sending multiple out-of-band data to a socket and
reading it back from it. According to the MSG_OOB implementation, this
shouldn't be possible. When system is affected by CVE-2025-38236, instead,
skb queue holds MSG_OOB data, breaking recv() and causing a use-after-free
condition.

Even if MSG_OOB is mostly used inside Oracle's product, it is enabled by
default in linux kernel via CONFIG_AF_UNIX_OOB. This is accessible via
Chrome's renderer sandbox, which might cause an attacker to escalate and to
obtain privileges in the system.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Changes in v3:
- remove return
- add tag reference in the description and commit log
- Link to v2: https://lore.kernel.org/r/20250812-cve_2025_38236-v2-1-76abeeaeaee6@suse.com

Changes in v2:
- use MSG_DONTWAIT
- add reference in the description
- reduce if/else nesting
- use different data for send()
- Link to v1: https://lore.kernel.org/r/20250812-cve_2025_38236-v1-1-e3617ada69c6@suse.com
---
 runtest/cve                    |   1 +
 testcases/cve/.gitignore       |   1 +
 testcases/cve/cve-2025-38236.c | 100 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 102 insertions(+)

diff --git a/runtest/cve b/runtest/cve
index 1d1d875974f0ce545005faedb78125d33ec7c989..6d575aa2165bcd46e5ca36a07db33f69a91bd94a 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -91,3 +91,4 @@ cve-2023-31248 nft02
 cve-2020-25704 perf_event_open03
 cve-2022-0185 fsconfig03
 cve-2022-4378 cve-2022-4378
+cve-2025-38236 cve-2025-38236
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 3a2b2bed619c99a592f51afe50b7196c593f1f45..8eb17ce56b01070e47917f9bb44cf146c0c5b338 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -13,3 +13,4 @@ cve-2017-17053
 cve-2022-4378
 icmp_rate_limit01
 tcindex01
+cve-2025-38236
diff --git a/testcases/cve/cve-2025-38236.c b/testcases/cve/cve-2025-38236.c
new file mode 100644
index 0000000000000000000000000000000000000000..16582fe6435005eb3b7741fa6b6d727d6b566320
--- /dev/null
+++ b/testcases/cve/cve-2025-38236.c
@@ -0,0 +1,100 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2025 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * Test for CVE-2025-38236 fixed in kernel v6.16-rc4:
+ * 32ca245464e1 ("af_unix: Don't leave consecutive consumed OOB skbs").
+ *
+ * The bug is triggered by sending multiple out-of-band data to a socket and
+ * reading it back from it. According to the MSG_OOB implementation, this
+ * shouldn't be possible. When system is affected by CVE-2025-38236, instead,
+ * skb queue holds MSG_OOB data, breaking recv() and causing a use-after-free
+ * condition.
+ *
+ * Even if MSG_OOB is mostly used inside Oracle's product, it is enabled by
+ * default in linux kernel via CONFIG_AF_UNIX_OOB. This is accessible via
+ * Chrome's renderer sandbox, which might cause an attacker to escalate and to
+ * obtain privileges in the system.
+ *
+ * Reproducer is based on:
+ * https://project-zero.issues.chromium.org/issues/423023990
+ */
+
+#include "tst_test.h"
+
+static char dummy;
+static int sock[2];
+
+static void run(void)
+{
+	int ret;
+
+	dummy = '\0';
+
+	tst_res(TINFO, "#1 send and receive out-of-band data");
+	SAFE_SEND(0, sock[1], "A", 1, MSG_OOB);
+	SAFE_RECV(0, sock[0], &dummy, 1, MSG_OOB);
+
+	tst_res(TINFO, "#2 send and receive out-of-band data");
+	SAFE_SEND(0, sock[1], "B", 1, MSG_OOB);
+	SAFE_RECV(0, sock[0], &dummy, 1, MSG_OOB);
+
+	tst_res(TINFO, "Send out-of-band data");
+	SAFE_SEND(0, sock[1], "C", 1, MSG_OOB);
+
+	tst_res(TINFO, "Receive data from normal stream");
+
+	ret = recv(sock[0], &dummy, 1, MSG_DONTWAIT);
+	if (ret == -1) {
+		if (errno == EWOULDBLOCK) {
+			tst_res(TPASS, "Can't read out-of-band data from normal stream");
+			return;
+		}
+
+		tst_brk(TBROK | TERRNO, "recv error");
+	}
+
+	const char *msg = "We are able to read out-of-band data from normal stream";
+
+	if (dummy == 'C') {
+		tst_res(TFAIL, "%s", msg);
+	} else {
+		tst_res(TFAIL, "%s, but data doesn't match: '%c' != 'A'",
+			msg, dummy);
+	}
+
+	SAFE_RECV(0, sock[0], &dummy, 1, MSG_OOB);
+
+	tst_res(TFAIL, "We are able to access data from skb queue (use-after-free)");
+}
+
+static void setup(void)
+{
+	SAFE_SOCKETPAIR(AF_UNIX, SOCK_STREAM, 0, sock);
+}
+
+static void cleanup(void)
+{
+	if (sock[0] != -1)
+		SAFE_CLOSE(sock[0]);
+
+	if (sock[1] != -1)
+		SAFE_CLOSE(sock[1]);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_AF_UNIX_OOB=y",
+		NULL
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "32ca245464e1"},
+		{"CVE", "2025-38236"},
+		{}
+	}
+};

---
base-commit: e2c58cfcb82be0b376098a67c8f45264282be67a
change-id: 20250812-cve_2025_38236-7cb0cd4fdbf5

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>

More information about the ltp mailing list