| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121635-CVE-2025-68227-930f@gregkh>
Date: Tue, 16 Dec 2025 14:57:46 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68227: mptcp: Fix proto fallback detection with BPF
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Fix proto fallback detection with BPF
The sockmap feature allows bpf syscall from userspace, or based
on bpf sockops, replacing the sk_prot of sockets during protocol stack
processing with sockmap's custom read/write interfaces.
'''
tcp_rcv_state_process()
syn_recv_sock()/subflow_syn_recv_sock()
tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
bpf_skops_established <== sockops
bpf_sock_map_update(sk) <== call bpf helper
tcp_bpf_update_proto() <== update sk_prot
'''
When the server has MPTCP enabled but the client sends a TCP SYN
without MPTCP, subflow_syn_recv_sock() performs a fallback on the
subflow, replacing the subflow sk's sk_prot with the native sk_prot.
'''
subflow_syn_recv_sock()
subflow_ulp_fallback()
subflow_drop_ctx()
mptcp_subflow_ops_undo_override()
'''
Then, this subflow can be normally used by sockmap, which replaces the
native sk_prot with sockmap's custom sk_prot. The issue occurs when the
user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
Here, it uses sk->sk_prot to compare with the native sk_prot, but this
is incorrect when sockmap is used, as we may incorrectly set
sk->sk_socket->ops.
This fix uses the more generic sk_family for the comparison instead.
Additionally, this also prevents a WARNING from occurring:
result from ./scripts/decode_stacktrace.sh:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
(net/mptcp/protocol.c:4005)
Modules linked in:
...
PKRU: 55555554
Call Trace:
<TASK>
do_accept (net/socket.c:1989)
__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
__x64_sys_accept (net/socket.c:2067)
x64_sys_call (arch/x86/entry/syscall_64.c:41)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f87ac92b83d
---[ end trace 0000000000000000 ]---
The Linux kernel CVE team has assigned CVE-2025-68227 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.7 with commit 0b4f33def7bbde1ce2fea05f116639270e7acdc7 and fixed in 5.10.247 with commit 92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c
Issue introduced in 5.7 with commit 0b4f33def7bbde1ce2fea05f116639270e7acdc7 and fixed in 5.15.197 with commit 7ee8f015eb47907745e2070184a8ab1e442ac3c4
Issue introduced in 5.7 with commit 0b4f33def7bbde1ce2fea05f116639270e7acdc7 and fixed in 6.1.159 with commit 344974ea1a3ca30e4920687b0091bda4438cebdb
Issue introduced in 5.7 with commit 0b4f33def7bbde1ce2fea05f116639270e7acdc7 and fixed in 6.6.118 with commit 037cc50589643342d69185b663ecf9d26cce91e8
Issue introduced in 5.7 with commit 0b4f33def7bbde1ce2fea05f116639270e7acdc7 and fixed in 6.12.60 with commit 9b1980b6f23fa30bf12add19f37c7458625099eb
Issue introduced in 5.7 with commit 0b4f33def7bbde1ce2fea05f116639270e7acdc7 and fixed in 6.17.10 with commit 1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00
Issue introduced in 5.7 with commit 0b4f33def7bbde1ce2fea05f116639270e7acdc7 and fixed in 6.18 with commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-68227
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/mptcp/protocol.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c
https://git.kernel.org/stable/c/7ee8f015eb47907745e2070184a8ab1e442ac3c4
https://git.kernel.org/stable/c/344974ea1a3ca30e4920687b0091bda4438cebdb
https://git.kernel.org/stable/c/037cc50589643342d69185b663ecf9d26cce91e8
https://git.kernel.org/stable/c/9b1980b6f23fa30bf12add19f37c7458625099eb
https://git.kernel.org/stable/c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00
https://git.kernel.org/stable/c/c77b3b79a92e3345aa1ee296180d1af4e7031f8f
Powered by blists - more mailing lists