lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025100115-CVE-2025-39894-f2dd@gregkh>
Date: Wed,  1 Oct 2025 09:43:18 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39894: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm

When send a broadcast packet to a tap device, which was added to a bridge,
br_nf_local_in() is called to confirm the conntrack. If another conntrack
with the same hash value is added to the hash table, which can be
triggered by a normal packet to a non-bridge device, the below warning
may happen.

  ------------[ cut here ]------------
  WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
  CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
  RIP: 0010:br_nf_local_in+0x168/0x200
  Call Trace:
   <TASK>
   nf_hook_slow+0x3e/0xf0
   br_pass_frame_up+0x103/0x180
   br_handle_frame_finish+0x2de/0x5b0
   br_nf_hook_thresh+0xc0/0x120
   br_nf_pre_routing_finish+0x168/0x3a0
   br_nf_pre_routing+0x237/0x5e0
   br_handle_frame+0x1ec/0x3c0
   __netif_receive_skb_core+0x225/0x1210
   __netif_receive_skb_one_core+0x37/0xa0
   netif_receive_skb+0x36/0x160
   tun_get_user+0xa54/0x10c0
   tun_chr_write_iter+0x65/0xb0
   vfs_write+0x305/0x410
   ksys_write+0x60/0xd0
   do_syscall_64+0xa4/0x260
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
   </TASK>
  ---[ end trace 0000000000000000 ]---

To solve the hash conflict, nf_ct_resolve_clash() try to merge the
conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
old ct from local variable 'nfct' after confirm(), which leads to this
warning.

If confirm() does not insert the conntrack entry and return NF_DROP, the
warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
remove it.

The Linux kernel CVE team has assigned CVE-2025-39894 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.15.151 with commit 7c3f28599652acf431a2211168de4a583f30b6d5 and fixed in 5.15.192 with commit d00c8b0daf56012f69075e3377da67878c775e4c
	Issue introduced in 6.1.81 with commit 2b1414d5e94e477edff1d2c79030f1d742625ea0 and fixed in 6.1.151 with commit ccbad4803225eafe0175d3cb19f0d8d73b504a94
	Issue introduced in 6.6.21 with commit 80cd0487f630b5382734997c3e5e3003a77db315 and fixed in 6.6.105 with commit 50db11e2bbb635e38e3dd096215580d6adb41fb0
	Issue introduced in 6.8 with commit 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 and fixed in 6.12.46 with commit c47ca77fee9071aa543bae592dd2a384f895c8b6
	Issue introduced in 6.8 with commit 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 and fixed in 6.16.6 with commit a74abcf0f09f59daeecf7a3ba9c1d690808b0afe
	Issue introduced in 6.8 with commit 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 and fixed in 6.17 with commit 479a54ab92087318514c82428a87af2d7af1a576
	Issue introduced in 6.7.9 with commit cb734975b0ffa688ff6cc0eed463865bf07b6c01

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39894
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/bridge/br_netfilter_hooks.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/d00c8b0daf56012f69075e3377da67878c775e4c
	https://git.kernel.org/stable/c/ccbad4803225eafe0175d3cb19f0d8d73b504a94
	https://git.kernel.org/stable/c/50db11e2bbb635e38e3dd096215580d6adb41fb0
	https://git.kernel.org/stable/c/c47ca77fee9071aa543bae592dd2a384f895c8b6
	https://git.kernel.org/stable/c/a74abcf0f09f59daeecf7a3ba9c1d690808b0afe
	https://git.kernel.org/stable/c/479a54ab92087318514c82428a87af2d7af1a576

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ