| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121632-CVE-2025-68241-854d@gregkh>
Date: Tue, 16 Dec 2025 15:21:33 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68241: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
The sit driver's packet transmission path calls: sit_tunnel_xmit() ->
update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called
to delete entries exceeding FNHE_RECLAIM_DEPTH+random.
The race window is between fnhe_remove_oldest() selecting fnheX for
deletion and the subsequent kfree_rcu(). During this time, the
concurrent path's __mkroute_output() -> find_exception() can fetch the
soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a
new dst using a dst_hold(). When the original fnheX is freed via RCU,
the dst reference remains permanently leaked.
CPU 0 CPU 1
__mkroute_output()
find_exception() [fnheX]
update_or_create_fnhe()
fnhe_remove_oldest() [fnheX]
rt_bind_exception() [bind dst]
RCU callback [fnheX freed, dst leak]
This issue manifests as a device reference count leak and a warning in
dmesg when unregistering the net device:
unregister_netdevice: waiting for sitX to become free. Usage count = N
Ido Schimmel provided the simple test validation method [1].
The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().
Since rt_bind_exception() checks this field, setting it to zero prevents
the stale fnhe from being reused and bound to a new dst just before it
is freed.
[1]
ip netns add ns1
ip -n ns1 link set dev lo up
ip -n ns1 address add 192.0.2.1/32 dev lo
ip -n ns1 link add name dummy1 up type dummy
ip -n ns1 route add 192.0.2.2/32 dev dummy1
ip -n ns1 link add name gretap1 up arp off type gretap \
local 192.0.2.1 remote 192.0.2.2
ip -n ns1 route add 198.51.0.0/16 dev gretap1
taskset -c 0 ip netns exec ns1 mausezahn gretap1 \
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
taskset -c 2 ip netns exec ns1 mausezahn gretap1 \
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
sleep 10
ip netns pids ns1 | xargs kill
ip netns del ns1
The Linux kernel CVE team has assigned CVE-2025-68241 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.4.146 with commit e46e23c289f62ccd8e2230d9ce652072d777ff30 and fixed in 5.4.302 with commit 69d35c12168f9c59b159ae566f77dfad9f96d7ca
Issue introduced in 5.10.65 with commit 5867e20e1808acd0c832ddea2587e5ee49813874 and fixed in 5.10.247 with commit 4b7210da22429765d19460d38c30eeca72656282
Issue introduced in 5.15 with commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e and fixed in 5.15.197 with commit 298f1e0694ab4edb6092d66efed93c4554e6ced1
Issue introduced in 5.15 with commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e and fixed in 6.1.159 with commit b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94
Issue introduced in 5.15 with commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e and fixed in 6.6.117 with commit 041ab9ca6e80d8f792bb69df28ebf1ef39c06af8
Issue introduced in 5.15 with commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e and fixed in 6.12.59 with commit b84f083f50ecc736a95091691339a1b363962f0e
Issue introduced in 5.15 with commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e and fixed in 6.17.9 with commit 0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0
Issue introduced in 5.15 with commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e and fixed in 6.18 with commit ac1499fcd40fe06479e9b933347b837ccabc2a40
Issue introduced in 4.4.284 with commit bed8941fbdb72a61f6348c4deb0db69c4de87aca
Issue introduced in 4.9.283 with commit f10ce783bcc4d8ea454563a7d56ae781640e7dcb
Issue introduced in 4.14.247 with commit f484595be6b7ef9d095a32becabb5dae8204fb2a
Issue introduced in 4.19.207 with commit 3e6bd2b583f18da9856fc9741ffa200a74a52cba
Issue introduced in 5.13.17 with commit 5ae06218331f39ec45b5d039aa7cb3ddd4bb8008
Issue introduced in 5.14.4 with commit 4589a12dcf80af31137ef202be1ff4a321707a73
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-68241
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/ipv4/route.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca
https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282
https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1
https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94
https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8
https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e
https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0
https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40
Powered by blists - more mailing lists