CVE-2025-21718 - Exposing and Fixing a Critical Timer Race Condition in Linux Kernel's ROSE Protocol

CVE-2025-21718 identifies a race condition vulnerability in the Linux kernel’s ROSE networking protocol implementation. Specifically, the issue lies in how the protocol manages timers in relation to user-space threads, leading to a dangerous "use-after-free" scenario that can be exploited for local privilege escalation, kernel panic, or data corruption.

In this article, we’ll break down what the flaw was, how it could be triggered, provide code snippets highlighting the vulnerability and the fix, discuss potential exploit scenarios, and link to trusted sources for further reading.

What is ROSE?

ROSE (Radio Amateur Packet Exchange) is a Layer 3 protocol for amateur packet radio based on the X.25 standard. The Linux kernel supports ROSE, but due to its relatively niche use, its code doesn’t get as much scrutiny—making it a potential hotspot for subtle bugs.

The Vulnerability

The flaw is in the handling of timers in the ROSE network implementation. When certain timers expire, their handler functions access the associated socket structure. However, those handlers only acquire the socket "spinlock" (a type of lock used to guard kernel data structures), without checking if the socket is currently owned by a user thread.

Without this check, there’s a window where a user thread might free (close) the socket, while the timer is still referencing it. If the timer expires just after the socket is freed, this can result in a use-after-free vulnerability.

KASAN (Kernel Address Sanitizer) detected this precisely

BUG: KASAN: slab-use-after-free in rose_timer_expiry+x31d/x360 net/rose/rose_timer.c:174
Read of size 2 at addr ffff88802f09b82a by task swapper//
...
rose_timer_expiry+x31d/x360 net/rose/rose_timer.c:174

This says that inside the rose_timer_expiry() function, an object was accessed after being freed (slab-use-after-free).

Here's a simplified version of how the buggy code looked

void rose_timer_expiry(struct timer_list *t)
{
    struct sock *sk = from_timer(sk, t, ...);
    spin_lock(&sk->sk_lock);

    // ... Access sk, which may already have been freed by user-thread
    
    spin_unlock(&sk->sk_lock);
}

Notice that it only acquires sk->sk_lock, but does not check ownership or whether sk is still valid.

The Fix

The kernel patch solves the problem by adding checks for ownership. If the socket is owned by a user thread (meaning, it might be being used or closed elsewhere), the timer handler re-arms itself to try again later, instead of accessing potentially freed memory.

Fixed Code Snippet

void rose_timer_expiry(struct timer_list *t)
{
    struct sock *sk = from_timer(sk, t, ...);

    // Try to acquire the sock with locking & ownership check
    if (!sock_owned_by_user(sk)) {
        spin_lock(&sk->sk_lock);

        // Safe to access sk

        spin_unlock(&sk->sk_lock);
    } else {
        // User thread is using this socket; re-arm timer
        mod_timer(t, jiffies + HZ / 10);
    }
}

The kernel's concurrency safety is therefore maintained: no access is made to a possibly freed socket.

A local attacker could

1. Create a ROSE socket, trigger timer use, and quickly close/free the socket.

The timer handler function, racing against this, might access the memory after it’s freed.

3. If the attacker is crafty and manages heap allocations, they may reliably get attacker-controlled data at the address the kernel uses — this can be abused for privilege escalation or breaking kernel integrity.

Real-World Example in Pseudocode

// User-thread:
sock = socket(AF_ROSE, ...);
ioctl(sock, ...); // triggers a timer on the socket
close(sock);      // frees the socket

// Timer fires and accesses closed socket:
=> Use-after-free crash or exploit

References and Further Reading

* Original Patch and Discussion
net: rose: fix timer races against user threads - Patch commit

* KASAN Documentation
KASAN (Kernel Address Sanitizer)

* General Guide on Use-After-Free in the Kernel
Kernel Use-After-Free Exploitation

How to Protect Yourself

Upgrade your kernel if you're using a version prior to the fix (check your distribution or build from the latest stable kernel). Even if ROSE is not in active use on your system, it's good practice to keep up to date to avoid unexpected vulnerabilities.

Conclusion

CVE-2025-21718 highlights the persistent challenge of writing truly race-free kernel code. Subtle timing bugs, especially in rarely used protocol code like ROSE, can introduce critical security issues that automated fuzzers like syzkaller and sanitizers like KASAN help bring to light. Thanks to vigilant reporting and fast patching, this bug was resolved before it could become a widespread attack vector.


*Exclusive analysis by AI. For more kernel CVEs, keep this post bookmarked.*

Timeline

Published on: 02/27/2025 02:15:15 UTC
Last modified on: 05/04/2025 07:19:42 UTC