| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121630-CVE-2025-68200-3bbb@gregkh>
Date: Tue, 16 Dec 2025 14:54:29 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68200: bpf: Add bpf_prog_run_data_pointers()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
bpf: Add bpf_prog_run_data_pointers()
syzbot found that cls_bpf_classify() is able to change
tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
Extend qdisc control block with tc control block"), which added a wrong
interaction with db58ba459202 ("bpf: wire in data and data_end for
cls_act_bpf").
drop_reason was added later.
Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
storage colliding with BPF data_meta/data_end.
The Linux kernel CVE team has assigned CVE-2025-68200 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.15.13 with commit 0d76daf2013ce1da20eab5e26bd81d983e1c18fb and fixed in 5.15.197 with commit c4cdd143c35974a2cedd000fa9eb3accc3023b20
Issue introduced in 5.16 with commit ec624fe740b416fb68d536b37fb8eef46f90b5c2 and fixed in 6.1.159 with commit 5e149d8a8e732126fb6014efd60075cf63a73f91
Issue introduced in 5.16 with commit ec624fe740b416fb68d536b37fb8eef46f90b5c2 and fixed in 6.6.117 with commit baa61dcaa50b7141048c8d2aede7fe9ed8f21d11
Issue introduced in 5.16 with commit ec624fe740b416fb68d536b37fb8eef46f90b5c2 and fixed in 6.12.59 with commit 6392e5f4b1a3cce10e828309baf35d22abd3457d
Issue introduced in 5.16 with commit ec624fe740b416fb68d536b37fb8eef46f90b5c2 and fixed in 6.17.9 with commit 8dd2fe5f5d586c8e87307b7a271f6b994afcc006
Issue introduced in 5.16 with commit ec624fe740b416fb68d536b37fb8eef46f90b5c2 and fixed in 6.18 with commit 4ef92743625818932b9c320152b58274c05e5053
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-68200
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
include/linux/filter.h
net/sched/act_bpf.c
net/sched/cls_bpf.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c4cdd143c35974a2cedd000fa9eb3accc3023b20
https://git.kernel.org/stable/c/5e149d8a8e732126fb6014efd60075cf63a73f91
https://git.kernel.org/stable/c/baa61dcaa50b7141048c8d2aede7fe9ed8f21d11
https://git.kernel.org/stable/c/6392e5f4b1a3cce10e828309baf35d22abd3457d
https://git.kernel.org/stable/c/8dd2fe5f5d586c8e87307b7a271f6b994afcc006
https://git.kernel.org/stable/c/4ef92743625818932b9c320152b58274c05e5053
Powered by blists - more mailing lists