| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111239-CVE-2025-40159-fe53@gregkh>
Date: Wed, 12 Nov 2025 19:24:40 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40159: xsk: Harden userspace-supplied xdp_desc validation
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
xsk: Harden userspace-supplied xdp_desc validation
Turned out certain clearly invalid values passed in xdp_desc from
userspace can pass xp_{,un}aligned_validate_desc() and then lead
to UBs or just invalid frames to be queued for xmit.
desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len
can cause positive integer overflow and wraparound, the same way low
enough desc->addr with a non-zero pool->tx_metadata_len can cause
negative integer overflow. Both scenarios can then pass the
validation successfully.
This doesn't happen with valid XSk applications, but can be used
to perform attacks.
Always promote desc->len to ``u64`` first to exclude positive
overflows of it. Use explicit check_{add,sub}_overflow() when
validating desc->addr (which is ``u64`` already).
bloat-o-meter reports a little growth of the code size:
add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)
Function old new delta
xskq_cons_peek_desc 299 330 +31
xsk_tx_peek_release_desc_batch 973 1002 +29
xsk_generic_xmit 3148 3132 -16
but hopefully this doesn't hurt the performance much.
The Linux kernel CVE team has assigned CVE-2025-40159 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.8 with commit 341ac980eab90ac1f6c22ee9f9da83ed9604d899 and fixed in 6.12.54 with commit 1463cd066f32efd56ddfd3ac4e3524200f362980
Issue introduced in 6.8 with commit 341ac980eab90ac1f6c22ee9f9da83ed9604d899 and fixed in 6.17.4 with commit 5b5fffa7c81e55d8c8edf05ad40d811ec7047e21
Issue introduced in 6.8 with commit 341ac980eab90ac1f6c22ee9f9da83ed9604d899 and fixed in 6.18-rc1 with commit 07ca98f906a403637fc5e513a872a50ef1247f3b
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-40159
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/xdp/xsk_queue.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980
https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21
https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b
Powered by blists - more mailing lists