| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122333-CVE-2025-68343-3238@gregkh> Date: Tue, 23 Dec 2025 14:58:37 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68343: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since "urb->context" contains "parent", it is always defined, while "dev" is not defined if the URB it too short. The Linux kernel CVE team has assigned CVE-2025-68343 to this issue. Affected and fixed versions =========================== Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.1.159 with commit 18cbce43363c9f84b90a92d57df341155eee0697 Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.6.119 with commit 3433680b759646efcacc64fe36aa2e51ae34b8f0 Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.12.61 with commit 616eee3e895b8ca0028163fcb1dce5e3e9dea322 Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.17.11 with commit f31693dc3a584c0ad3937e857b59dbc1a7ed2b87 Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 6.18 with commit 6fe9f3279f7d2518439a7962c5870c6e9ecbadcf Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68343 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/can/usb/gs_usb.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/18cbce43363c9f84b90a92d57df341155eee0697 https://git.kernel.org/stable/c/3433680b759646efcacc64fe36aa2e51ae34b8f0 https://git.kernel.org/stable/c/616eee3e895b8ca0028163fcb1dce5e3e9dea322 https://git.kernel.org/stable/c/f31693dc3a584c0ad3937e857b59dbc1a7ed2b87 https://git.kernel.org/stable/c/6fe9f3279f7d2518439a7962c5870c6e9ecbadcf
Powered by blists - more mailing lists