cve/published/2025/CVE-2025-21891.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21891: ipvlan: ensure network headers are in skb linear part

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipvlan: ensure network headers are in skb linear part

 syzbot found that ipvlan_process_v6_outbound() was assuming
 the IPv6 network header isis present in skb->head [1]

 Add the needed pskb_network_may_pull() calls for both
 IPv4 and IPv6 handlers.

 [1]
 BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47
   __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47
   ipv6_addr_type include/net/ipv6.h:555 [inline]
   ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]
   ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651
   ip6_route_output include/net/ip6_route.h:93 [inline]
   ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476
   ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]
   ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]
   ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]
   ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671
   ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223
   __netdev_start_xmit include/linux/netdevice.h:5150 [inline]
   netdev_start_xmit include/linux/netdevice.h:5159 [inline]
   xmit_one net/core/dev.c:3735 [inline]
   dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751
   sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
   qdisc_restart net/sched/sch_generic.c:408 [inline]
   __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416
   qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127
   net_tx_action+0x78b/0x940 net/core/dev.c:5484
   handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561
   __do_softirq+0x14/0x1a kernel/softirq.c:595
   do_softirq+0x9a/0x100 kernel/softirq.c:462
   __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389
   local_bh_enable include/linux/bottom_half.h:33 [inline]
   rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
   __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611
   dev_queue_xmit include/linux/netdevice.h:3311 [inline]
   packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
   packet_snd net/packet/af_packet.c:3132 [inline]
   packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164
   sock_sendmsg_nosec net/socket.c:718 [inline]

 The Linux kernel CVE team has assigned CVE-2025-21891 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.1.130 with commit 5b8dea8d1612dc7151d2457d7d2e6a69820309bf
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.6.81 with commit 4ec48f812804f370f622e0874e6dd8fcc58241cd
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.12.18 with commit 5353fd89663c48f56bdff975c562cfe78b1a2e4c
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.13.6 with commit e2a4f76a2d8a44816ecd25bcbdb47b786d621974
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.14 with commit 27843ce6ba3d3122b65066550fe33fb8839f8aef

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21891
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ipvlan/ipvlan_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5b8dea8d1612dc7151d2457d7d2e6a69820309bf
 	https://git.kernel.org/stable/c/4ec48f812804f370f622e0874e6dd8fcc58241cd
 	https://git.kernel.org/stable/c/5353fd89663c48f56bdff975c562cfe78b1a2e4c
 	https://git.kernel.org/stable/c/e2a4f76a2d8a44816ecd25bcbdb47b786d621974
 	https://git.kernel.org/stable/c/27843ce6ba3d3122b65066550fe33fb8839f8aef
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21891: ipvlan: ensure network headers are in skb linear part

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipvlan: ensure network headers are in skb linear part

	syzbot found that ipvlan_process_v6_outbound() was assuming
	the IPv6 network header isis present in skb->head [1]

	Add the needed pskb_network_may_pull() calls for both
	IPv4 and IPv6 handlers.

	[1]
	BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47
	__ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47
	ipv6_addr_type include/net/ipv6.h:555 [inline]
	ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]
	ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651
	ip6_route_output include/net/ip6_route.h:93 [inline]
	ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476
	ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]
	ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]
	ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]
	ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671
	ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223
	__netdev_start_xmit include/linux/netdevice.h:5150 [inline]
	netdev_start_xmit include/linux/netdevice.h:5159 [inline]
	xmit_one net/core/dev.c:3735 [inline]
	dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751
	sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
	qdisc_restart net/sched/sch_generic.c:408 [inline]
	__qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416
	qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127
	net_tx_action+0x78b/0x940 net/core/dev.c:5484
	handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561
	__do_softirq+0x14/0x1a kernel/softirq.c:595
	do_softirq+0x9a/0x100 kernel/softirq.c:462
	__local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389
	local_bh_enable include/linux/bottom_half.h:33 [inline]
	rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
	__dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611
	dev_queue_xmit include/linux/netdevice.h:3311 [inline]
	packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
	packet_snd net/packet/af_packet.c:3132 [inline]
	packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164
	sock_sendmsg_nosec net/socket.c:718 [inline]

	The Linux kernel CVE team has assigned CVE-2025-21891 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.1.130 with commit 5b8dea8d1612dc7151d2457d7d2e6a69820309bf
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.6.81 with commit 4ec48f812804f370f622e0874e6dd8fcc58241cd
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.12.18 with commit 5353fd89663c48f56bdff975c562cfe78b1a2e4c
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.13.6 with commit e2a4f76a2d8a44816ecd25bcbdb47b786d621974
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.14 with commit 27843ce6ba3d3122b65066550fe33fb8839f8aef

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21891
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ipvlan/ipvlan_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5b8dea8d1612dc7151d2457d7d2e6a69820309bf
	https://git.kernel.org/stable/c/4ec48f812804f370f622e0874e6dd8fcc58241cd
	https://git.kernel.org/stable/c/5353fd89663c48f56bdff975c562cfe78b1a2e4c
	https://git.kernel.org/stable/c/e2a4f76a2d8a44816ecd25bcbdb47b786d621974
	https://git.kernel.org/stable/c/27843ce6ba3d3122b65066550fe33fb8839f8aef