| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122332-CVE-2025-68342-7f69@gregkh> Date: Tue, 23 Dec 2025 14:58:36 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68342: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it. Only copy the data to that skb that has actually been received. [mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()] The Linux kernel CVE team has assigned CVE-2025-68342 to this issue. Affected and fixed versions =========================== Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.6.119 with commit 4ffac725154cf6a253f5e6aa0c8946232b6a0af5 Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.12.61 with commit ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.17.11 with commit fb0c7c77a7ae3a2c3404b7d0173b8739a754b513 Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.18 with commit 395d988f93861101ec89d0dd9e3b876ae9392a5b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68342 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/can/usb/gs_usb.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/4ffac725154cf6a253f5e6aa0c8946232b6a0af5 https://git.kernel.org/stable/c/ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3404b7d0173b8739a754b513 https://git.kernel.org/stable/c/395d988f93861101ec89d0dd9e3b876ae9392a5b
Powered by blists - more mailing lists