| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025081629-CVE-2025-38552-f7a9@gregkh> Date: Sat, 16 Aug 2025 13:34:29 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38552: mptcp: plug races between subflow fail and subflow creation From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger. The solution is similar. Use a separate flag to track the condition 'socket state prevent any additional subflow creation' protected by the fallback lock. The socket fallback makes such flag true, and also receiving or sending an MP_FAIL option. The field 'allow_infinite_fallback' is now always touched under the relevant lock, we can drop the ONCE annotation on write. The Linux kernel CVE team has assigned CVE-2025-38552 to this issue. Affected and fixed versions =========================== Issue introduced in 5.15 with commit 478d770008b03ed9d74bdc8add2315b7fd124ecc and fixed in 6.6.101 with commit 7c96d519ee15a130842a6513530b4d20acd2bfcd Issue introduced in 5.15 with commit 478d770008b03ed9d74bdc8add2315b7fd124ecc and fixed in 6.12.40 with commit f81b6fbe13c7fc413b5158cdffc6a59391a2a8db Issue introduced in 5.15 with commit 478d770008b03ed9d74bdc8add2315b7fd124ecc and fixed in 6.15.8 with commit 659da22dee5ff316ba63bdaeeac7b58b5442f6c2 Issue introduced in 5.15 with commit 478d770008b03ed9d74bdc8add2315b7fd124ecc and fixed in 6.16 with commit def5b7b2643ebba696fc60ddf675dca13f073486 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38552 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/mptcp/pm.c net/mptcp/protocol.c net/mptcp/protocol.h net/mptcp/subflow.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7c96d519ee15a130842a6513530b4d20acd2bfcd https://git.kernel.org/stable/c/f81b6fbe13c7fc413b5158cdffc6a59391a2a8db https://git.kernel.org/stable/c/659da22dee5ff316ba63bdaeeac7b58b5442f6c2 https://git.kernel.org/stable/c/def5b7b2643ebba696fc60ddf675dca13f073486
Powered by blists - more mailing lists