| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120818-CVE-2025-40292-e613@gregkh>
Date: Mon, 8 Dec 2025 09:47:17 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40292: virtio-net: fix received length check in big packets
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
virtio-net: fix received length check in big packets
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length
for big packets"), when guest gso is off, the allocated size for big
packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on
negotiated MTU. The number of allocated frags for big packets is stored
in vi->big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host
vhost_net driver's get_rx_bufs is modified to announce incorrect
length), we need a check in virtio_net receive path. Currently, the
check is not adapted to the new change which can lead to NULL page
pointer dereference in the below while loop when receiving length that
is larger than the allocated one.
This commit fixes the received length check corresponding to the new
change.
The Linux kernel CVE team has assigned CVE-2025-40292 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.1.159 with commit 82f9028e83944a9eee5229cbc6fee9be1de8a62d
Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.6.117 with commit 946dec89c41726b94d31147ec528b96af0be1b5a
Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.12.58 with commit 82fe78065450d2d07f36a22e2b6b44955cf5ca5b
Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.17.8 with commit 3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2
Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.18 with commit 0c716703965ffc5ef4311b65cb5d84a703784717
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-40292
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/virtio_net.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/82f9028e83944a9eee5229cbc6fee9be1de8a62d
https://git.kernel.org/stable/c/946dec89c41726b94d31147ec528b96af0be1b5a
https://git.kernel.org/stable/c/82fe78065450d2d07f36a22e2b6b44955cf5ca5b
https://git.kernel.org/stable/c/3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2
https://git.kernel.org/stable/c/0c716703965ffc5ef4311b65cb5d84a703784717
Powered by blists - more mailing lists