| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061845-CVE-2025-38018-0c91@gregkh> Date: Wed, 18 Jun 2025 11:28:52 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798 The Linux kernel CVE team has assigned CVE-2025-38018 to this issue. Affected and fixed versions =========================== Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.1.140 with commit 8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4 Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.6.92 with commit 406d05da26835943568e61bb751c569efae071d4 Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.12.30 with commit a11b8c0be6acd0505a58ff40d474bd778b25b93a Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.14.8 with commit 5f1f833cb388592bb46104463a1ec1b7c41975b6 Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.15 with commit 491deb9b8c4ad12fe51d554a69b8165b9ef9429f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38018 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/tls/tls_strp.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4 https://git.kernel.org/stable/c/406d05da26835943568e61bb751c569efae071d4 https://git.kernel.org/stable/c/a11b8c0be6acd0505a58ff40d474bd778b25b93a https://git.kernel.org/stable/c/5f1f833cb388592bb46104463a1ec1b7c41975b6 https://git.kernel.org/stable/c/491deb9b8c4ad12fe51d554a69b8165b9ef9429f
Powered by blists - more mailing lists