cve/published/2025/CVE-2025-21787.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 team: better TEAM_OPTION_TYPE_STRING validation

 syzbot reported following splat [1]

 Make sure user-provided data contains one nul byte.

 [1]
  BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline]
  BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714
   string_nocheck lib/vsprintf.c:633 [inline]
   string+0x3ec/0x5f0 lib/vsprintf.c:714
   vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843
   __request_module+0x252/0x9f0 kernel/module/kmod.c:149
   team_mode_get drivers/net/team/team_core.c:480 [inline]
   team_change_mode drivers/net/team/team_core.c:607 [inline]
   team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401
   team_option_set drivers/net/team/team_core.c:375 [inline]
   team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662
   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
   genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210
   netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543
   genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219
   netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
   netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348
   netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892
   sock_sendmsg_nosec net/socket.c:718 [inline]
   __sock_sendmsg+0x30f/0x380 net/socket.c:733
   ____sys_sendmsg+0x877/0xb60 net/socket.c:2573
   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
   __sys_sendmsg net/socket.c:2659 [inline]
   __do_sys_sendmsg net/socket.c:2664 [inline]
   __se_sys_sendmsg net/socket.c:2662 [inline]
   __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662
   x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 The Linux kernel CVE team has assigned CVE-2025-21787 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 5.4.291 with commit 7c30483d0f6bdb2230e10e3e4be5167927eac7a0
 	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 5.10.235 with commit 7f5af50f3aa0af8cbef9fb76fffeed69e8143f59
 	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 5.15.179 with commit f443687ad20c70320d1248f35f57bf46cac8df0a
 	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.1.129 with commit 4512482e4805dd30bc77dec511f2a2edba5cb868
 	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.6.79 with commit d071a91fa614ecdf760c29f61f6a7bfb7df796d6
 	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.12.16 with commit 4236bf4716589558cc0f3c3612642b2c2141b04e
 	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.13.4 with commit 8401cade1918281177974b32c925afdce750d292
 	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.14 with commit 5bef3ac184b5626ea62385d6b82a1992b89d7940

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21787
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/team/team_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7c30483d0f6bdb2230e10e3e4be5167927eac7a0
 	https://git.kernel.org/stable/c/7f5af50f3aa0af8cbef9fb76fffeed69e8143f59
 	https://git.kernel.org/stable/c/f443687ad20c70320d1248f35f57bf46cac8df0a
 	https://git.kernel.org/stable/c/4512482e4805dd30bc77dec511f2a2edba5cb868
 	https://git.kernel.org/stable/c/d071a91fa614ecdf760c29f61f6a7bfb7df796d6
 	https://git.kernel.org/stable/c/4236bf4716589558cc0f3c3612642b2c2141b04e
 	https://git.kernel.org/stable/c/8401cade1918281177974b32c925afdce750d292
 	https://git.kernel.org/stable/c/5bef3ac184b5626ea62385d6b82a1992b89d7940
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	team: better TEAM_OPTION_TYPE_STRING validation

	syzbot reported following splat [1]

	Make sure user-provided data contains one nul byte.

	[1]
	BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline]
	BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714
	string_nocheck lib/vsprintf.c:633 [inline]
	string+0x3ec/0x5f0 lib/vsprintf.c:714
	vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843
	__request_module+0x252/0x9f0 kernel/module/kmod.c:149
	team_mode_get drivers/net/team/team_core.c:480 [inline]
	team_change_mode drivers/net/team/team_core.c:607 [inline]
	team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401
	team_option_set drivers/net/team/team_core.c:375 [inline]
	team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662
	genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
	genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
	genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210
	netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543
	genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219
	netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
	netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348
	netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892
	sock_sendmsg_nosec net/socket.c:718 [inline]
	__sock_sendmsg+0x30f/0x380 net/socket.c:733
	____sys_sendmsg+0x877/0xb60 net/socket.c:2573
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
	__sys_sendmsg net/socket.c:2659 [inline]
	__do_sys_sendmsg net/socket.c:2664 [inline]
	__se_sys_sendmsg net/socket.c:2662 [inline]
	__x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662
	x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	The Linux kernel CVE team has assigned CVE-2025-21787 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 5.4.291 with commit 7c30483d0f6bdb2230e10e3e4be5167927eac7a0
	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 5.10.235 with commit 7f5af50f3aa0af8cbef9fb76fffeed69e8143f59
	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 5.15.179 with commit f443687ad20c70320d1248f35f57bf46cac8df0a
	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.1.129 with commit 4512482e4805dd30bc77dec511f2a2edba5cb868
	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.6.79 with commit d071a91fa614ecdf760c29f61f6a7bfb7df796d6
	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.12.16 with commit 4236bf4716589558cc0f3c3612642b2c2141b04e
	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.13.4 with commit 8401cade1918281177974b32c925afdce750d292
	Issue introduced in 3.3 with commit 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 and fixed in 6.14 with commit 5bef3ac184b5626ea62385d6b82a1992b89d7940

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21787
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/team/team_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7c30483d0f6bdb2230e10e3e4be5167927eac7a0
	https://git.kernel.org/stable/c/7f5af50f3aa0af8cbef9fb76fffeed69e8143f59
	https://git.kernel.org/stable/c/f443687ad20c70320d1248f35f57bf46cac8df0a
	https://git.kernel.org/stable/c/4512482e4805dd30bc77dec511f2a2edba5cb868
	https://git.kernel.org/stable/c/d071a91fa614ecdf760c29f61f6a7bfb7df796d6
	https://git.kernel.org/stable/c/4236bf4716589558cc0f3c3612642b2c2141b04e
	https://git.kernel.org/stable/c/8401cade1918281177974b32c925afdce750d292
	https://git.kernel.org/stable/c/5bef3ac184b5626ea62385d6b82a1992b89d7940