| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121645-CVE-2025-68308-5dc4@gregkh> Date: Tue, 16 Dec 2025 16:07:02 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68308: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands are used to align data to the USB endpoint's wMaxPacketSize boundary. The driver attempts to skip these placeholders by aligning the buffer position `pos` to the next packet boundary using `round_up()` function. However, if zero-length command is found exactly on a packet boundary (i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up` function will return the unchanged value of `pos`. This prevents `pos` to be increased, causing an infinite loop in the parsing logic. This patch fixes this in the function by using `pos + 1` instead. This ensures that even if `pos` is on a boundary, the calculation is based on `pos + 1`, forcing `round_up()` to always return the next aligned boundary. The Linux kernel CVE team has assigned CVE-2025-68308 to this issue. Affected and fixed versions =========================== Issue introduced in 4.19 with commit 7259124eac7d1b76b41c7a9cb2511a30556deebe and fixed in 5.10.247 with commit 58343e0a4d43699f0e2f5b169384bbe4c0217add Issue introduced in 4.19 with commit 7259124eac7d1b76b41c7a9cb2511a30556deebe and fixed in 5.15.197 with commit 69c7825df64e24dc15d31631a1fc9145324b1345 Issue introduced in 4.19 with commit 7259124eac7d1b76b41c7a9cb2511a30556deebe and fixed in 6.1.159 with commit 028e89c7e8b4346302e88df01cc50e0a1f05791a Issue introduced in 4.19 with commit 7259124eac7d1b76b41c7a9cb2511a30556deebe and fixed in 6.6.119 with commit e9dd83a75a7274edef21682c823bf0b66d7b6b7f Issue introduced in 4.19 with commit 7259124eac7d1b76b41c7a9cb2511a30556deebe and fixed in 6.12.61 with commit 0897cea266e39166a36111059ba147192b36592f Issue introduced in 4.19 with commit 7259124eac7d1b76b41c7a9cb2511a30556deebe and fixed in 6.17.11 with commit bd8135a560cf6e64f0b98ed4daadf126a38f7f48 Issue introduced in 4.19 with commit 7259124eac7d1b76b41c7a9cb2511a30556deebe and fixed in 6.18 with commit 0c73772cd2b8cc108d5f5334de89ad648d89b9ec Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68308 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345 https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48 https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec
Powered by blists - more mailing lists