| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100942-CVE-2025-39955-f36b@gregkh> Date: Thu, 9 Oct 2025 11:47:41 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39955: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk in the TCP_ESTABLISHED state. [0] syzbot reused the server-side TCP Fast Open socket as a new client before the TFO socket completes 3WHS: 1. accept() 2. connect(AF_UNSPEC) 3. connect() to another destination As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes it to TCP_CLOSE and makes connect() possible, which restarts timers. Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the retransmit timer triggered the warning and the intended packet was not retransmitted. Let's call reqsk_fastopen_remove() in tcp_disconnect(). [0]: WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) Modules linked in: CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 Call Trace: <IRQ> tcp_write_timer (net/ipv4/tcp_timer.c:738) call_timer_fn (kernel/time/timer.c:1747) __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) tmigr_handle_remote (kernel/time/timer_migration.c:1096) handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) </IRQ> The Linux kernel CVE team has assigned CVE-2025-39955 to this issue. Affected and fixed versions =========================== Issue introduced in 3.7 with commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 and fixed in 5.4.300 with commit 7ec092a91ff351dcde89c23e795b73a328274db6 Issue introduced in 3.7 with commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 and fixed in 5.10.245 with commit a4378dedd6e07e62f2fccb17d78c9665718763d0 Issue introduced in 3.7 with commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 and fixed in 5.15.194 with commit 33a4fdf0b4a25f8ce65380c3b0136b407ca57609 Issue introduced in 3.7 with commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 and fixed in 6.1.154 with commit 17d699727577814198d744d6afe54735c6b54c99 Issue introduced in 3.7 with commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 and fixed in 6.6.108 with commit dfd06131107e7b699ef1e2a24ed2f7d17c917753 Issue introduced in 3.7 with commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 and fixed in 6.12.49 with commit fa4749c065644af4db496b338452a69a3e5147d9 Issue introduced in 3.7 with commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 and fixed in 6.16.9 with commit ae313d14b45eca7a6bb29cb9bf396d977e7d28fb Issue introduced in 3.7 with commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 and fixed in 6.17 with commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39955 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/tcp.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6 https://git.kernel.org/stable/c/a4378dedd6e07e62f2fccb17d78c9665718763d0 https://git.kernel.org/stable/c/33a4fdf0b4a25f8ce65380c3b0136b407ca57609 https://git.kernel.org/stable/c/17d699727577814198d744d6afe54735c6b54c99 https://git.kernel.org/stable/c/dfd06131107e7b699ef1e2a24ed2f7d17c917753 https://git.kernel.org/stable/c/fa4749c065644af4db496b338452a69a3e5147d9 https://git.kernel.org/stable/c/ae313d14b45eca7a6bb29cb9bf396d977e7d28fb https://git.kernel.org/stable/c/45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01
Powered by blists - more mailing lists