lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025101501-CVE-2025-39987-9feb@gregkh>
Date: Wed, 15 Oct 2025 09:57:15 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39987: can: hi311x: populate ndo_change_mtu() to prevent buffer overflow

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

can: hi311x: populate ndo_change_mtu() to prevent buffer overflow

Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.

Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:

  $ ip link set can0 mtu 9999

After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:

	socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))

to inject a malicious CAN XL frames. For example:

	struct canxl_frame frame = {
		.flags = 0xff,
		.len = 2048,
	};

The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:

  1. the skb->protocol is set to ETH_P_CANXL which is valid (the
     function does not check the actual device capabilities).

  2. the length is a valid CAN XL length.

And so, hi3110_hard_start_xmit() receives a CAN XL frame which it is
not able to correctly handle and will thus misinterpret it as a CAN
frame. The driver will consume frame->len as-is with no further
checks.

This can result in a buffer overflow later on in hi3110_hw_tx() on
this line:

	memcpy(buf + HI3110_FIFO_EXT_DATA_OFF,
	       frame->data, frame->len);

Here, frame->len corresponds to the flags field of the CAN XL frame.
In our previous example, we set canxl_frame->flags to 0xff. Because
the maximum expected length is 8, a buffer overflow of 247 bytes
occurs!

Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.

The Linux kernel CVE team has assigned CVE-2025-39987 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.12 with commit 57e83fb9b7468c75cb65cde1d23043553c346c6d and fixed in 5.4.300 with commit f2c247e9581024d8b3dd44cbe086bf2bebbef42c
	Issue introduced in 4.12 with commit 57e83fb9b7468c75cb65cde1d23043553c346c6d and fixed in 5.10.245 with commit 8f351db6b2367991f0736b2cff082f5de4872113
	Issue introduced in 4.12 with commit 57e83fb9b7468c75cb65cde1d23043553c346c6d and fixed in 5.15.194 with commit 7ab85762274c0fa997f0ef9a2307b2001aae43c4
	Issue introduced in 4.12 with commit 57e83fb9b7468c75cb65cde1d23043553c346c6d and fixed in 6.1.155 with commit 57d332ce8c921d0e340650470bb0c1d707f216ee
	Issue introduced in 4.12 with commit 57e83fb9b7468c75cb65cde1d23043553c346c6d and fixed in 6.6.109 with commit be1b25005fd0f9d4e78bec6695711ef87ee33398
	Issue introduced in 4.12 with commit 57e83fb9b7468c75cb65cde1d23043553c346c6d and fixed in 6.12.50 with commit def814b4ba31b563584061d6895d5ff447d5bc14
	Issue introduced in 4.12 with commit 57e83fb9b7468c75cb65cde1d23043553c346c6d and fixed in 6.16.10 with commit e77fdf9e33a83a08f04ab0cb68c19ddb365a622f
	Issue introduced in 4.12 with commit 57e83fb9b7468c75cb65cde1d23043553c346c6d and fixed in 6.17 with commit ac1c7656fa717f29fac3ea073af63f0b9919ec9a

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39987
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/can/spi/hi311x.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/f2c247e9581024d8b3dd44cbe086bf2bebbef42c
	https://git.kernel.org/stable/c/8f351db6b2367991f0736b2cff082f5de4872113
	https://git.kernel.org/stable/c/7ab85762274c0fa997f0ef9a2307b2001aae43c4
	https://git.kernel.org/stable/c/57d332ce8c921d0e340650470bb0c1d707f216ee
	https://git.kernel.org/stable/c/be1b25005fd0f9d4e78bec6695711ef87ee33398
	https://git.kernel.org/stable/c/def814b4ba31b563584061d6895d5ff447d5bc14
	https://git.kernel.org/stable/c/e77fdf9e33a83a08f04ab0cb68c19ddb365a622f
	https://git.kernel.org/stable/c/ac1c7656fa717f29fac3ea073af63f0b9919ec9a

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ