| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025082259-CVE-2025-38665-29e2@gregkh> Date: Fri, 22 Aug 2025 18:03:02 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38665: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that call struct can_priv::do_set_mode: - directly by a manual restart from the user space, via can_changelink() - delayed automatic restart after bus off (deactivated by default) To prevent the NULL pointer deference, refuse a manual restart or configure the automatic restart delay in can_changelink() and report the error via extack to user space. As an additional safety measure let can_restart() return an error if can_priv::do_set_mode is not set instead of dereferencing it unchecked. The Linux kernel CVE team has assigned CVE-2025-38665 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.31 with commit 39549eef3587f1c1e8c65c88a2400d10fd30ea17 and fixed in 6.1.148 with commit 6bbcf37c5114926c99a1d1e6993a5b35689d2599 Issue introduced in 2.6.31 with commit 39549eef3587f1c1e8c65c88a2400d10fd30ea17 and fixed in 6.6.101 with commit cf81a60a973358dea163f6b14062f17831ceb894 Issue introduced in 2.6.31 with commit 39549eef3587f1c1e8c65c88a2400d10fd30ea17 and fixed in 6.12.41 with commit 0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5 Issue introduced in 2.6.31 with commit 39549eef3587f1c1e8c65c88a2400d10fd30ea17 and fixed in 6.15.9 with commit 6acceb46180f9e160d4f0c56fcaf39ba562822ae Issue introduced in 2.6.31 with commit 39549eef3587f1c1e8c65c88a2400d10fd30ea17 and fixed in 6.16 with commit c1f3f9797c1f44a762e6f5f72520b2e520537b52 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38665 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/can/dev/dev.c drivers/net/can/dev/netlink.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/6bbcf37c5114926c99a1d1e6993a5b35689d2599 https://git.kernel.org/stable/c/cf81a60a973358dea163f6b14062f17831ceb894 https://git.kernel.org/stable/c/0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5 https://git.kernel.org/stable/c/6acceb46180f9e160d4f0c56fcaf39ba562822ae https://git.kernel.org/stable/c/c1f3f9797c1f44a762e6f5f72520b2e520537b52
Powered by blists - more mailing lists