cve/published/2025/CVE-2025-21719.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21719: ipmr: do not call mr_mfc_uses_dev() for unres entries

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipmr: do not call mr_mfc_uses_dev() for unres entries

 syzbot found that calling mr_mfc_uses_dev() for unres entries
 would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif
 alias to "struct sk_buff_head unresolved", which contain two pointers.

 This code never worked, lets remove it.

 [1]
 Unable to handle kernel paging request at virtual address ffff5fff2d536613
 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]
 Modules linked in:
 CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]
  pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334
  lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]
  lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334
 Call trace:
   mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)
   mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)
   mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382
   ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648
   rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327
   rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791
   netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317
   netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973
   sock_recvmsg_nosec net/socket.c:1033 [inline]
   sock_recvmsg net/socket.c:1055 [inline]
   sock_read_iter+0x2d8/0x40c net/socket.c:1125
   new_sync_read fs/read_write.c:484 [inline]
   vfs_read+0x740/0x970 fs/read_write.c:565
   ksys_read+0x15c/0x26c fs/read_write.c:708

 The Linux kernel CVE team has assigned CVE-2025-21719 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 5.4.291 with commit 71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1
 	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 5.10.235 with commit 53df27fd38f84bd3cd6b004eb4ff3c4903114f1d
 	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 5.15.179 with commit 547ef7e8cbb98f966c8719a3e15d4e078aaa9b47
 	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.1.129 with commit 57177c5f47a8da852f8d76cf6945cf803f8bb9e5
 	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.6.76 with commit b379b3162ff55a70464c6a934ae9bf0497478a62
 	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.12.13 with commit a099834a51ccf9bbba3de86a251b3433539abfde
 	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.13.2 with commit 26bb7d991f04eeef47dfad23e533834995c26f7a
 	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.14 with commit 15a901361ec3fb1c393f91880e1cbf24ec0a88bd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21719
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/ipmr_base.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1
 	https://git.kernel.org/stable/c/53df27fd38f84bd3cd6b004eb4ff3c4903114f1d
 	https://git.kernel.org/stable/c/547ef7e8cbb98f966c8719a3e15d4e078aaa9b47
 	https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5
 	https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62
 	https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde
 	https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a
 	https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21719: ipmr: do not call mr_mfc_uses_dev() for unres entries

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipmr: do not call mr_mfc_uses_dev() for unres entries

	syzbot found that calling mr_mfc_uses_dev() for unres entries
	would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif
	alias to "struct sk_buff_head unresolved", which contain two pointers.

	This code never worked, lets remove it.

	[1]
	Unable to handle kernel paging request at virtual address ffff5fff2d536613
	KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]
	Modules linked in:
	CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
	pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]
	pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334
	lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]
	lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334
	Call trace:
	mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)
	mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)
	mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382
	ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648
	rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327
	rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791
	netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317
	netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973
	sock_recvmsg_nosec net/socket.c:1033 [inline]
	sock_recvmsg net/socket.c:1055 [inline]
	sock_read_iter+0x2d8/0x40c net/socket.c:1125
	new_sync_read fs/read_write.c:484 [inline]
	vfs_read+0x740/0x970 fs/read_write.c:565
	ksys_read+0x15c/0x26c fs/read_write.c:708

	The Linux kernel CVE team has assigned CVE-2025-21719 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 5.4.291 with commit 71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1
	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 5.10.235 with commit 53df27fd38f84bd3cd6b004eb4ff3c4903114f1d
	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 5.15.179 with commit 547ef7e8cbb98f966c8719a3e15d4e078aaa9b47
	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.1.129 with commit 57177c5f47a8da852f8d76cf6945cf803f8bb9e5
	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.6.76 with commit b379b3162ff55a70464c6a934ae9bf0497478a62
	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.12.13 with commit a099834a51ccf9bbba3de86a251b3433539abfde
	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.13.2 with commit 26bb7d991f04eeef47dfad23e533834995c26f7a
	Issue introduced in 4.20 with commit cb167893f41e21e6bd283d78e53489289dc0592d and fixed in 6.14 with commit 15a901361ec3fb1c393f91880e1cbf24ec0a88bd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21719
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/ipmr_base.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1
	https://git.kernel.org/stable/c/53df27fd38f84bd3cd6b004eb4ff3c4903114f1d
	https://git.kernel.org/stable/c/547ef7e8cbb98f966c8719a3e15d4e078aaa9b47
	https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5
	https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62
	https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde
	https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a
	https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd