lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050126-CVE-2025-23145-4a18@gregkh> Date: Thu, 1 May 2025 14:56:25 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to. The Linux kernel CVE team has assigned CVE-2025-23145 to this issue. Affected and fixed versions =========================== Issue introduced in 5.9 with commit 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and fixed in 6.1.135 with commit 855bf0aacd51fced11ea9aa0d5101ee0febaeadb Issue introduced in 5.9 with commit 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and fixed in 6.6.88 with commit 7f9ae060ed64aef8f174c5f1ea513825b1be9af1 Issue introduced in 5.9 with commit 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and fixed in 6.12.24 with commit dc81e41a307df523072186b241fa8244fecd7803 Issue introduced in 5.9 with commit 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and fixed in 6.13.12 with commit efd58a8dd9e7a709a90ee486a4247c923d27296f Issue introduced in 5.9 with commit 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and fixed in 6.14.3 with commit 4b2649b9717678aeb097893cc49f59311a1ecab0 Issue introduced in 5.9 with commit 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and fixed in 6.15-rc1 with commit 443041deb5ef6a1289a99ed95015ec7442f141dc Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-23145 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/mptcp/subflow.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1 https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803 https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0 https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc
Powered by blists - more mailing lists