| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011415-CVE-2025-71120-d0a6@gregkh> Date: Wed, 14 Jan 2026 16:06:25 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. The Linux kernel CVE team has assigned CVE-2025-71120 to this issue. Affected and fixed versions =========================== Issue introduced in 5.5 with commit 5866efa8cbfbadf3905072798e96652faf02dbe8 and fixed in 6.1.160 with commit f9e53f69ac3bc4ef568b08d3542edac02e83fefd Issue introduced in 5.5 with commit 5866efa8cbfbadf3905072798e96652faf02dbe8 and fixed in 6.6.120 with commit 7452d53f293379e2c38cfa8ad0694aa46fc4788b Issue introduced in 5.5 with commit 5866efa8cbfbadf3905072798e96652faf02dbe8 and fixed in 6.12.64 with commit a2c6f25ab98b423f99ccd94874d655b8bcb01a19 Issue introduced in 5.5 with commit 5866efa8cbfbadf3905072798e96652faf02dbe8 and fixed in 6.18.3 with commit 1c8bb965e9b0559ff0f5690615a527c30f651dd8 Issue introduced in 5.5 with commit 5866efa8cbfbadf3905072798e96652faf02dbe8 and fixed in 6.19-rc3 with commit d4b69a6186b215d2dc1ebcab965ed88e8d41768d Issue introduced in 4.19.99 with commit 66ed7b413d31c6ff23901ac4443b1cc1af2f6113 Issue introduced in 5.4.15 with commit 7be8c165dc81564705e8e0b72d398ef708f67eaa Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71120 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sunrpc/auth_gss/svcauth_gss.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19 https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8 https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d
Powered by blists - more mailing lists