| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120432-CVE-2025-40254-736a@gregkh> Date: Thu, 4 Dec 2025 16:57:35 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40254: net: openvswitch: remove never-working support for setting nsh fields From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: remove never-working support for setting nsh fields The validation of the set(nsh(...)) action is completely wrong. It runs through the nsh_key_put_from_nlattr() function that is the same function that validates NSH keys for the flow match and the push_nsh() action. However, the set(nsh(...)) has a very different memory layout. Nested attributes in there are doubled in size in case of the masked set(). That makes proper validation impossible. There is also confusion in the code between the 'masked' flag, that says that the nested attributes are doubled in size containing both the value and the mask, and the 'is_mask' that says that the value we're parsing is the mask. This is causing kernel crash on trying to write into mask part of the match with SW_FLOW_KEY_PUT() during validation, while validate_nsh() doesn't allocate any memory for it: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] Call Trace: <TASK> validate_nsh+0x60/0x90 [openvswitch] validate_set.constprop.0+0x270/0x3c0 [openvswitch] __ovs_nla_copy_actions+0x477/0x860 [openvswitch] ovs_nla_copy_actions+0x8d/0x100 [openvswitch] ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] genl_family_rcv_msg_doit+0xdb/0x130 genl_family_rcv_msg+0x14b/0x220 genl_rcv_msg+0x47/0xa0 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x280/0x3b0 netlink_sendmsg+0x1f7/0x430 ____sys_sendmsg+0x36b/0x3a0 ___sys_sendmsg+0x87/0xd0 __sys_sendmsg+0x6d/0xd0 do_syscall_64+0x7b/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The third issue with this process is that while trying to convert the non-masked set into masked one, validate_set() copies and doubles the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested attributes. It should be copying each nested attribute and doubling them in size independently. And the process must be properly reversed during the conversion back from masked to a non-masked variant during the flow dump. In the end, the only two outcomes of trying to use this action are either validation failure or a kernel crash. And if somehow someone manages to install a flow with such an action, it will most definitely not do what it is supposed to, since all the keys and the masks are mixed up. Fixing all the issues is a complex task as it requires re-writing most of the validation code. Given that and the fact that this functionality never worked since introduction, let's just remove it altogether. It's better to re-introduce it later with a proper implementation instead of trying to fix it in stable releases. The Linux kernel CVE team has assigned CVE-2025-40254 to this issue. Affected and fixed versions =========================== Issue introduced in 4.15 with commit b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 and fixed in 5.4.302 with commit 3415faa1fcb4150f29a72c5ecf959339d797feb7 Issue introduced in 4.15 with commit b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 and fixed in 6.6.118 with commit 0b903f33c31c82b1c3591279fd8a23893802b987 Issue introduced in 4.15 with commit b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 and fixed in 6.12.60 with commit 9c61d8fe1350b7322f4953318165d6719c3b1475 Issue introduced in 4.15 with commit b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 and fixed in 6.17.10 with commit 4689ba45296dbb3a47e70a1bc2ed0328263e48f3 Issue introduced in 4.15 with commit b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 and fixed in 6.18 with commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40254 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/openvswitch/actions.c net/openvswitch/flow_netlink.c net/openvswitch/flow_netlink.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7 https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987 https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475 https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3 https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67
Powered by blists - more mailing lists