lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025031214-CVE-2025-21855-2d67@gregkh> Date: Wed, 12 Mar 2025 10:42:21 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21855: ibmvnic: Don't reference skb after sending to VIOS Description =========== In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ================================================================== The Linux kernel CVE team has assigned CVE-2025-21855 to this issue. Affected and fixed versions =========================== Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.1.130 with commit 501ac6a7e21b82e05207c6b4449812d82820f306 Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.6.80 with commit 093b0e5c90592773863f300b908b741622eef597 Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.12.17 with commit 25dddd01dcc8ef3acff964dbb32eeb0d89f098e9 Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.13.5 with commit abaff2717470e4b5b7c0c3a90e128b211a23da09 Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.14-rc4 with commit bdf5d13aa05ec314d4385b31ac974d6c7e0997c9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21855 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/ibm/ibmvnic.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306 https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597 https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9 https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09 https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9
Powered by blists - more mailing lists