| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022646-CVE-2025-21719-dbee@gregkh> Date: Wed, 26 Feb 2025 18:06:14 -0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21719: ipmr: do not call mr_mfc_uses_dev() for unres entries Description =========== In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708 The Linux kernel CVE team has assigned CVE-2025-21719 to this issue. Affected and fixed versions =========================== Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.1.129 with commit 57177c5f47a8da852f8d76cf6945cf803f8bb9e5 Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.6.76 with commit b379b3162ff55a70464c6a934ae9bf0497478a62 Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.12.13 with commit a099834a51ccf9bbba3de86a251b3433539abfde Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.13.2 with commit 26bb7d991f04eeef47dfad23e533834995c26f7a Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.14-rc1 with commit 15a901361ec3fb1c393f91880e1cbf24ec0a88bd Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21719 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/ipmr_base.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5 https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62 https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd
Powered by blists - more mailing lists