| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025040131-CVE-2025-21921-9deb@gregkh>
Date: Tue, 1 Apr 2025 16:39:45 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-21921: net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device
ethnl_req_get_phydev() is used to lookup a phy_device, in the case an
ethtool netlink command targets a specific phydev within a netdev's
topology.
It takes as a parameter a const struct nlattr *header that's used for
error handling :
if (!phydev) {
NL_SET_ERR_MSG_ATTR(extack, header,
"no phy matching phyindex");
return ERR_PTR(-ENODEV);
}
In the notify path after a ->set operation however, there's no request
attributes available.
The typical callsite for the above function looks like:
phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],
info->extack);
So, when tb is NULL (such as in the ethnl notify path), we have a nice
crash.
It turns out that there's only the PLCA command that is in that case, as
the other phydev-specific commands don't have a notification.
This commit fixes the crash by passing the cmd index and the nlattr
array separately, allowing NULL-checking it directly inside the helper.
The Linux kernel CVE team has assigned CVE-2025-21921 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.12 with commit c15e065b46dc4e19837275b826c1960d55564abd and fixed in 6.12.19 with commit 639c70352958735addbba5ae7dd65985da96e061
Issue introduced in 6.12 with commit c15e065b46dc4e19837275b826c1960d55564abd and fixed in 6.13.7 with commit 1f458fa42c29144cef280e05bc49fc21b873d897
Issue introduced in 6.12 with commit c15e065b46dc4e19837275b826c1960d55564abd and fixed in 6.14 with commit 637399bf7e77797811adf340090b561a8f9d1213
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-21921
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/ethtool/cabletest.c
net/ethtool/linkstate.c
net/ethtool/netlink.c
net/ethtool/netlink.h
net/ethtool/phy.c
net/ethtool/plca.c
net/ethtool/pse-pd.c
net/ethtool/stats.c
net/ethtool/strset.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061
https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897
https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213
Powered by blists - more mailing lists