| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025101501-CVE-2025-39986-b33b@gregkh>
Date: Wed, 15 Oct 2025 09:57:14 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39986: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, sun4ican_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN frame.
This can result in a buffer overflow. The driver will consume cf->len
as-is with no further checks on this line:
dlc = cf->len;
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs a
couple line below when doing:
for (i = 0; i < dlc; i++)
writel(cf->data[i], priv->base + (dreg + i * 4));
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
The Linux kernel CVE team has assigned CVE-2025-39986 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.4 with commit 0738eff14d817a02ab082c392c96a1613006f158 and fixed in 5.4.300 with commit 063539db42203b29d5aa2adf0cae3d68c646a6b6
Issue introduced in 4.4 with commit 0738eff14d817a02ab082c392c96a1613006f158 and fixed in 5.10.245 with commit 4f382cc887adca8478b9d3e6b81aa6698a95fff4
Issue introduced in 4.4 with commit 0738eff14d817a02ab082c392c96a1613006f158 and fixed in 5.15.194 with commit 60463a1c138900494cb3adae41142a11cd8feb3c
Issue introduced in 4.4 with commit 0738eff14d817a02ab082c392c96a1613006f158 and fixed in 6.1.155 with commit a61ff7ac93270d20ca426c027d6d01c8ac8e904c
Issue introduced in 4.4 with commit 0738eff14d817a02ab082c392c96a1613006f158 and fixed in 6.6.109 with commit 2e423e1990f3972cbea779883fef52c2f2acb858
Issue introduced in 4.4 with commit 0738eff14d817a02ab082c392c96a1613006f158 and fixed in 6.12.50 with commit de77841652e57afbc46e9e1dbf51ee364fc008e1
Issue introduced in 4.4 with commit 0738eff14d817a02ab082c392c96a1613006f158 and fixed in 6.16.10 with commit 7f7b21026a6febdb749f6f6f950427245aa86cce
Issue introduced in 4.4 with commit 0738eff14d817a02ab082c392c96a1613006f158 and fixed in 6.17 with commit 61da0bd4102c459823fbe6b8b43b01fb6ace4a22
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-39986
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/can/sun4i_can.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/063539db42203b29d5aa2adf0cae3d68c646a6b6
https://git.kernel.org/stable/c/4f382cc887adca8478b9d3e6b81aa6698a95fff4
https://git.kernel.org/stable/c/60463a1c138900494cb3adae41142a11cd8feb3c
https://git.kernel.org/stable/c/a61ff7ac93270d20ca426c027d6d01c8ac8e904c
https://git.kernel.org/stable/c/2e423e1990f3972cbea779883fef52c2f2acb858
https://git.kernel.org/stable/c/de77841652e57afbc46e9e1dbf51ee364fc008e1
https://git.kernel.org/stable/c/7f7b21026a6febdb749f6f6f950427245aa86cce
https://git.kernel.org/stable/c/61da0bd4102c459823fbe6b8b43b01fb6ace4a22
Powered by blists - more mailing lists