lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025101500-CVE-2025-39985-98c2@gregkh>
Date: Wed, 15 Oct 2025 09:57:13 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39985: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow

Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.

Unfortunately, because the mcba_usb driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:

  $ ip link set can0 mtu 9999

After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:

	socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))

to inject a malicious CAN XL frames. For example:

	struct canxl_frame frame = {
		.flags = 0xff,
		.len = 2048,
	};

The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:

  1. the skb->protocol is set to ETH_P_CANXL which is valid (the
     function does not check the actual device capabilities).

  2. the length is a valid CAN XL length.

And so, mcba_usb_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN frame.

This can result in a buffer overflow. The driver will consume cf->len
as-is with no further checks on these lines:

	usb_msg.dlc = cf->len;

	memcpy(usb_msg.data, cf->data, usb_msg.dlc);

Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs!

Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.

The Linux kernel CVE team has assigned CVE-2025-39985 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.12 with commit 51f3baad7de943780ce0c17bd7975df567dd6e14 and fixed in 5.4.300 with commit 0fa9303c4b9493727e0d3a6ac3729300e3013930
	Issue introduced in 4.12 with commit 51f3baad7de943780ce0c17bd7975df567dd6e14 and fixed in 5.10.245 with commit 37aed407496bf6de8910e588edb04d2435fa7011
	Issue introduced in 4.12 with commit 51f3baad7de943780ce0c17bd7975df567dd6e14 and fixed in 5.15.194 with commit 6eec67bfb25637f9b51e584cf59ddace59925bc8
	Issue introduced in 4.12 with commit 51f3baad7de943780ce0c17bd7975df567dd6e14 and fixed in 6.1.155 with commit ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1
	Issue introduced in 4.12 with commit 51f3baad7de943780ce0c17bd7975df567dd6e14 and fixed in 6.6.109 with commit 3664ae91b26d1fd7e4cee9cde17301361f4c89d5
	Issue introduced in 4.12 with commit 51f3baad7de943780ce0c17bd7975df567dd6e14 and fixed in 6.12.50 with commit 6b9fb82df8868dbe9ffea5874b8d35f951faedbb
	Issue introduced in 4.12 with commit 51f3baad7de943780ce0c17bd7975df567dd6e14 and fixed in 6.16.10 with commit b638c3fb0f163e69785ceddb3b434a9437878bec
	Issue introduced in 4.12 with commit 51f3baad7de943780ce0c17bd7975df567dd6e14 and fixed in 6.17 with commit 17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39985
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/can/usb/mcba_usb.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/0fa9303c4b9493727e0d3a6ac3729300e3013930
	https://git.kernel.org/stable/c/37aed407496bf6de8910e588edb04d2435fa7011
	https://git.kernel.org/stable/c/6eec67bfb25637f9b51e584cf59ddace59925bc8
	https://git.kernel.org/stable/c/ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1
	https://git.kernel.org/stable/c/3664ae91b26d1fd7e4cee9cde17301361f4c89d5
	https://git.kernel.org/stable/c/6b9fb82df8868dbe9ffea5874b8d35f951faedbb
	https://git.kernel.org/stable/c/b638c3fb0f163e69785ceddb3b434a9437878bec
	https://git.kernel.org/stable/c/17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ