| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-21858: geneve: Fix use-after-free in geneve_find_dev(). |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| geneve: Fix use-after-free in geneve_find_dev(). |
| |
| syzkaller reported a use-after-free in geneve_find_dev() [0] |
| without repro. |
| |
| geneve_configure() links struct geneve_dev.next to |
| net_generic(net, geneve_net_id)->geneve_list. |
| |
| The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, |
| IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. |
| |
| When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally |
| calls unregister_netdevice_queue() for each dev in the netns, |
| and later the dev is freed. |
| |
| However, its geneve_dev.next is still linked to the backend UDP |
| socket netns. |
| |
| Then, use-after-free will occur when another geneve dev is created |
| in the netns. |
| |
| Let's call geneve_dellink() instead in geneve_destroy_tunnels(). |
| |
| [0]: |
| BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] |
| BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 |
| Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 |
| |
| CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d |
| Hardware name: linux,dummy-virt (DT) |
| Call trace: |
| show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) |
| __dump_stack lib/dump_stack.c:94 [inline] |
| dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 |
| print_address_description mm/kasan/report.c:378 [inline] |
| print_report+0x16c/0x6f0 mm/kasan/report.c:489 |
| kasan_report+0xc0/0x120 mm/kasan/report.c:602 |
| __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 |
| geneve_find_dev drivers/net/geneve.c:1295 [inline] |
| geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 |
| geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 |
| rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 |
| __rtnl_newlink net/core/rtnetlink.c:3906 [inline] |
| rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 |
| rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 |
| netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 |
| rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 |
| netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] |
| netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 |
| netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 |
| sock_sendmsg_nosec net/socket.c:713 [inline] |
| __sock_sendmsg net/socket.c:728 [inline] |
| ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 |
| ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 |
| __sys_sendmsg net/socket.c:2654 [inline] |
| __do_sys_sendmsg net/socket.c:2659 [inline] |
| __se_sys_sendmsg net/socket.c:2657 [inline] |
| __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 |
| __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] |
| invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 |
| el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 |
| do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 |
| el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 |
| el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 |
| el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 |
| |
| Allocated by task 13247: |
| kasan_save_stack mm/kasan/common.c:47 [inline] |
| kasan_save_track+0x30/0x68 mm/kasan/common.c:68 |
| kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 |
| poison_kmalloc_redzone mm/kasan/common.c:377 [inline] |
| __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 |
| kasan_kmalloc include/linux/kasan.h:260 [inline] |
| __do_kmalloc_node mm/slub.c:4298 [inline] |
| __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 |
| __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 |
| alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 |
| rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 |
| rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 |
| __rtnl_newlink net/core/rtnetlink.c:3906 [inline] |
| rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 |
| rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 |
| netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 |
| rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 |
| netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] |
| netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 |
| netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 |
| sock_sendmsg_nosec net/socket.c:713 [inline] |
| __sock_sendmsg net/socket.c:728 [inline] |
| ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 |
| ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 |
| __sys_sendmsg net/socket.c:2654 [inline] |
| __do_sys_sendmsg net/socket.c:2659 [inline] |
| __se_sys_sendmsg net/socket.c:2657 [inline] |
| __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 |
| __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] |
| invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 |
| el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 |
| do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 |
| el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 |
| el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 |
| el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 |
| |
| Freed by task 45: |
| kasan_save_stack mm/kasan/common.c:47 [inline] |
| kasan_save_track+0x30/0x68 mm/kasan/common.c:68 |
| kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:582 |
| poison_slab_object mm/kasan/common.c:247 [inline] |
| __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264 |
| kasan_slab_free include/linux/kasan.h:233 [inline] |
| slab_free_hook mm/slub.c:2353 [inline] |
| slab_free mm/slub.c:4613 [inline] |
| kfree+0x140/0x420 mm/slub.c:4761 |
| kvfree+0x4c/0x68 mm/util.c:688 |
| netdev_release+0x94/0xc8 net/core/net-sysfs.c:2065 |
| device_release+0x98/0x1c0 |
| kobject_cleanup lib/kobject.c:689 [inline] |
| kobject_release lib/kobject.c:720 [inline] |
| kref_put include/linux/kref.h:65 [inline] |
| kobject_put+0x2b0/0x438 lib/kobject.c:737 |
| netdev_run_todo+0xe5c/0xfc8 net/core/dev.c:11185 |
| rtnl_unlock+0x20/0x38 net/core/rtnetlink.c:151 |
| cleanup_net+0x4fc/0x8c0 net/core/net_namespace.c:648 |
| process_one_work+0x700/0x1398 kernel/workqueue.c:3236 |
| process_scheduled_works kernel/workqueue.c:3317 [inline] |
| worker_thread+0x8c4/0xe10 kernel/workqueue.c:3398 |
| kthread+0x4bc/0x608 kernel/kthread.c:464 |
| ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 |
| |
| The buggy address belongs to the object at ffff000054d6e000 |
| which belongs to the cache kmalloc-cg-4k of size 4096 |
| The buggy address is located 3620 bytes inside of |
| freed 4096-byte region [ffff000054d6e000, ffff000054d6f000) |
| |
| The buggy address belongs to the physical page: |
| page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94d68 |
| head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 |
| memcg:ffff000016276181 |
| flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) |
| page_type: f5(slab) |
| raw: 03fffe0000000040 ffff0000c000f500 dead000000000122 0000000000000000 |
| raw: 0000000000000000 0000000000040004 00000001f5000000 ffff000016276181 |
| head: 03fffe0000000040 ffff0000c000f500 dead000000000122 0000000000000000 |
| head: 0000000000000000 0000000000040004 00000001f5000000 ffff000016276181 |
| head: 03fffe0000000003 fffffdffc1535a01 ffffffffffffffff 0000000000000000 |
| head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 |
| page dumped because: kasan: bad access detected |
| |
| Memory state around the buggy address: |
| ffff000054d6ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ffff000054d6ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| >ffff000054d6ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ^ |
| ffff000054d6ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ffff000054d6ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| |
| The Linux kernel CVE team has assigned CVE-2025-21858 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.4.291 with commit d5e86e27de0936f3cb0a299ce519d993e9cf3886 |
| Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.10.235 with commit 5a0538ac6826807d6919f6aecbb8996c2865af2c |
| Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 5.15.179 with commit f74f6560146714241c6e167b03165ee77a86e316 |
| Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.1.130 with commit 904e746b2e7fa952ab8801b303ce826a63153d78 |
| Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.6.80 with commit 3ce92ca990cfac88a87c61df3cc0b5880e688ecf |
| Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.12.17 with commit da9b0ae47f084014b1e4b3f31f70a0defd047ff3 |
| Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.13.5 with commit 788dbca056a8783ec063da3c9d49a3a71c76c283 |
| Issue introduced in 4.2 with commit 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b and fixed in 6.14 with commit 9593172d93b9f91c362baec4643003dc29802929 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-21858 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/net/geneve.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886 |
| https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c |
| https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316 |
| https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78 |
| https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf |
| https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3 |
| https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283 |
| https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929 |
