[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025072502-CVE-2025-38441-bb71@gregkh>
Date: Fri, 25 Jul 2025 17:28:03 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()
syzbot found a potential access to uninit-value in nf_flow_pppoe_proto()
Blamed commit forgot the Ethernet header.
BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27
nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27
nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623
nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]
nf_ingress net/core/dev.c:5742 [inline]
__netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837
__netif_receive_skb_one_core net/core/dev.c:5975 [inline]
__netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090
netif_receive_skb_internal net/core/dev.c:6176 [inline]
netif_receive_skb+0x57/0x630 net/core/dev.c:6235
tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xb4b/0x1580 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
The Linux kernel CVE team has assigned CVE-2025-38441 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.15.157 with commit d06977b9a4109f8738bb276125eb6a0b772bc433 and fixed in 5.15.189 with commit a3aea97d55964e70a1e6426aa4cafdc036e8a2dd
Issue introduced in 6.1.88 with commit 8bf7c76a2a207ca2b4cfda0a279192adf27678d7 and fixed in 6.1.146 with commit eed8960b289327235185b7c32649c3470a3e969b
Issue introduced in 6.6.29 with commit a2471d271042ea18e8a6babc132a8716bb2f08b9 and fixed in 6.6.99 with commit 9fbc49429a23b02595ba82536c5ea425fdabb221
Issue introduced in 6.9 with commit 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf and fixed in 6.12.39 with commit e0dd2e9729660f3f4fcb16e0aef87342911528ef
Issue introduced in 6.9 with commit 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf and fixed in 6.15.7 with commit cfbf0665969af2c69d10c377d4c3d306e717efb4
Issue introduced in 6.9 with commit 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf and fixed in 6.16-rc6 with commit 18cdb3d982da8976b28d57691eb256ec5688fad2
Issue introduced in 6.8.8 with commit cf366ee3bc1b7d1c76a882640ba3b3f8f1039163
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38441
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
include/net/netfilter/nf_flow_table.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/a3aea97d55964e70a1e6426aa4cafdc036e8a2dd
https://git.kernel.org/stable/c/eed8960b289327235185b7c32649c3470a3e969b
https://git.kernel.org/stable/c/9fbc49429a23b02595ba82536c5ea425fdabb221
https://git.kernel.org/stable/c/e0dd2e9729660f3f4fcb16e0aef87342911528ef
https://git.kernel.org/stable/c/cfbf0665969af2c69d10c377d4c3d306e717efb4
https://git.kernel.org/stable/c/18cdb3d982da8976b28d57691eb256ec5688fad2
Powered by blists - more mailing lists