| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025081908-CVE-2025-38566-edef@gregkh> Date: Tue, 19 Aug 2025 19:18:13 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38566: sunrpc: fix handling of server side tls alerts From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv. The Linux kernel CVE team has assigned CVE-2025-38566 to this issue. Affected and fixed versions =========================== Issue introduced in 6.4 with commit 5e052dda121e2870dd87181783da4a95d7d2927b and fixed in 6.6.102 with commit b1df394621710b312f0393e3f240fdac0764f968 Issue introduced in 6.4 with commit 5e052dda121e2870dd87181783da4a95d7d2927b and fixed in 6.12.42 with commit 25bb3647d30a20486b5fe7cff2b0e503c16c9692 Issue introduced in 6.4 with commit 5e052dda121e2870dd87181783da4a95d7d2927b and fixed in 6.15.10 with commit 3b549da875414989f480b66835d514be80a0bd9c Issue introduced in 6.4 with commit 5e052dda121e2870dd87181783da4a95d7d2927b and fixed in 6.16.1 with commit 6b33c31cc788073bfbed9297e1f4486ed73d87da Issue introduced in 6.4 with commit 5e052dda121e2870dd87181783da4a95d7d2927b and fixed in 6.17-rc2 with commit bee47cb026e762841f3faece47b51f985e215edb Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38566 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sunrpc/svcsock.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968 https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692 https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb
Powered by blists - more mailing lists