lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025090459-CVE-2025-38718-5bb6@gregkh>
Date: Thu,  4 Sep 2025 17:33:23 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38718: sctp: linearize cloned gso packets in sctp_rcv

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

sctp: linearize cloned gso packets in sctp_rcv

A cloned head skb still shares these frag skbs in fraglist with the
original head skb. It's not safe to access these frag skbs.

syzbot reported two use-of-uninitialized-memory bugs caused by this:

  BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
   sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
   sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998
   sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
   sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331
   sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122
   __release_sock+0x1da/0x330 net/core/sock.c:3106
   release_sock+0x6b/0x250 net/core/sock.c:3660
   sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360
   sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885
   sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031
   inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851
   sock_sendmsg_nosec net/socket.c:718 [inline]

and

  BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
   sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
   sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88
   sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
   sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148
   __release_sock+0x1d3/0x330 net/core/sock.c:3213
   release_sock+0x6b/0x270 net/core/sock.c:3767
   sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367
   sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886
   sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032
   inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851
   sock_sendmsg_nosec net/socket.c:712 [inline]

This patch fixes it by linearizing cloned gso packets in sctp_rcv().

The Linux kernel CVE team has assigned CVE-2025-38718 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.8 with commit 90017accff61ae89283ad9a51f9ac46ca01633fb and fixed in 5.4.297 with commit d0194e391bb493aa6cec56d177b14df6b29188d5
	Issue introduced in 4.8 with commit 90017accff61ae89283ad9a51f9ac46ca01633fb and fixed in 5.10.241 with commit 03d0cc6889e02420125510b5444b570f4bbf53d5
	Issue introduced in 4.8 with commit 90017accff61ae89283ad9a51f9ac46ca01633fb and fixed in 5.15.190 with commit cd0e92bb2b7542fb96397ffac639b4f5b099d0cb
	Issue introduced in 4.8 with commit 90017accff61ae89283ad9a51f9ac46ca01633fb and fixed in 6.6.103 with commit ea094f38d387d1b0ded5dee4a3e5720aa4ce0139
	Issue introduced in 4.8 with commit 90017accff61ae89283ad9a51f9ac46ca01633fb and fixed in 6.12.43 with commit 7d757f17bc2ef2727994ffa6d5d6e4bc4789a770
	Issue introduced in 4.8 with commit 90017accff61ae89283ad9a51f9ac46ca01633fb and fixed in 6.15.11 with commit fc66772607101bd2030a4332b3bd0ea3b3605250
	Issue introduced in 4.8 with commit 90017accff61ae89283ad9a51f9ac46ca01633fb and fixed in 6.16.2 with commit 1bd5214ea681584c5886fea3ba03e49f93a43c0e
	Issue introduced in 4.8 with commit 90017accff61ae89283ad9a51f9ac46ca01633fb and fixed in 6.17-rc2 with commit fd60d8a086191fe33c2d719732d2482052fa6805

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38718
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/sctp/input.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/d0194e391bb493aa6cec56d177b14df6b29188d5
	https://git.kernel.org/stable/c/03d0cc6889e02420125510b5444b570f4bbf53d5
	https://git.kernel.org/stable/c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb
	https://git.kernel.org/stable/c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139
	https://git.kernel.org/stable/c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770
	https://git.kernel.org/stable/c/fc66772607101bd2030a4332b3bd0ea3b3605250
	https://git.kernel.org/stable/c/1bd5214ea681584c5886fea3ba03e49f93a43c0e
	https://git.kernel.org/stable/c/fd60d8a086191fe33c2d719732d2482052fa6805

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ