lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025120718-CVE-2025-40281-557d@gregkh>
Date: Sun,  7 Dec 2025 06:52:28 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40281: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

syzbot reported a possible shift-out-of-bounds [1]

Blamed commit added rto_alpha_max and rto_beta_max set to 1000.

It is unclear if some sctp users are setting very large rto_alpha
and/or rto_beta.

In order to prevent user regression, perform the test at run time.

Also add READ_ONCE() annotations as sysctl values can change under us.

[1]

UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41
shift exponent 64 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
  ubsan_epilogue lib/ubsan.c:233 [inline]
  __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494
  sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509
  sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502
  sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338
  sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]
  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]

The Linux kernel CVE team has assigned CVE-2025-40281 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.16 with commit b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b and fixed in 5.4.302 with commit 0e0413e3315199b23ff4aec295e256034cd0a6e4
	Issue introduced in 3.16 with commit b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b and fixed in 5.10.247 with commit 834e65be429c0fa4f9bb5945064bd57f18ed2187
	Issue introduced in 3.16 with commit b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b and fixed in 5.15.197 with commit abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a
	Issue introduced in 3.16 with commit b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b and fixed in 6.1.159 with commit d0d858652834dcf531342c82a0428170aa7c2675
	Issue introduced in 3.16 with commit b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b and fixed in 6.6.117 with commit ed71f801249d2350c77a73dca2c03918a15a62fe
	Issue introduced in 3.16 with commit b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b and fixed in 6.12.59 with commit 1cfa4eac275cc4875755c1303d48a4ddfe507ca8
	Issue introduced in 3.16 with commit b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b and fixed in 6.17.9 with commit aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d
	Issue introduced in 3.16 with commit b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b and fixed in 6.18 with commit 1534ff77757e44bcc4b98d0196bc5c0052fce5fa

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-40281
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/sctp/transport.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4
	https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187
	https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a
	https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675
	https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe
	https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8
	https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d
	https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ