lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025072504-CVE-2025-38377-a0c0@gregkh>
Date: Fri, 25 Jul 2025 14:55:08 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38377: rose: fix dangling neighbour pointers in rose_rt_device_down()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

rose: fix dangling neighbour pointers in rose_rt_device_down()

There are two bugs in rose_rt_device_down() that can cause
use-after-free:

1. The loop bound `t->count` is modified within the loop, which can
   cause the loop to terminate early and miss some entries.

2. When removing an entry from the neighbour array, the subsequent entries
   are moved up to fill the gap, but the loop index `i` is still
   incremented, causing the next entry to be skipped.

For example, if a node has three neighbours (A, A, B) with count=3 and A
is being removed, the second A is not checked.

    i=0: (A, A, B) -> (A, B) with count=2
          ^ checked
    i=1: (A, B)    -> (A, B) with count=2
             ^ checked (B, not A!)
    i=2: (doesn't occur because i < count is false)

This leaves the second A in the array with count=2, but the rose_neigh
structure has been freed. Code that accesses these entries assumes that
the first `count` entries are valid pointers, causing a use-after-free
when it accesses the dangling pointer.

Fix both issues by iterating over the array in reverse order with a fixed
loop bound. This ensures that all entries are examined and that the removal
of an entry doesn't affect subsequent iterations.

The Linux kernel CVE team has assigned CVE-2025-38377 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.296 with commit 94e0918e39039c47ddceb609500817f7266be756
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.240 with commit fe62a35fb1f77f494ed534fc69a9043dc5a30ce1
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.187 with commit 2b952dbb32fef835756f07ff0cd77efbb836dfea
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.144 with commit b6b232e16e08c6dc120672b4753392df0d28c1b4
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.97 with commit 7a1841c9609377e989ec41c16551309ce79c39e4
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.37 with commit 446ac00b86be1670838e513b643933d78837d8db
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.15.6 with commit 2c6c82ee074bfcfd1bc978ec45bfea37703d840a
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.16-rc5 with commit 34a500caf48c47d5171f4aa1f237da39b07c6157

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38377
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/rose/rose_route.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756
	https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1
	https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea
	https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4
	https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4
	https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db
	https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a
	https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ