cve/published/2025/CVE-2025-22005.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22005: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

 fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything
 when it fails.

 Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh")
 moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()
 but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in
 case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak.

 Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the
 error path.

 Note that we can remove the fib6_nh_release() call in nh_create_ipv6()
 later in net-next.git.

 The Linux kernel CVE team has assigned CVE-2025-22005 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 5.4.292 with commit 16267a5036173d0173377545b4b6021b081d0933
 	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 5.10.236 with commit 1bd12dfc058e1e68759d313d7727d68dbc1b8964
 	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 5.15.180 with commit 596a883c4ce2d2e9c175f25b98fed3a1f33fea38
 	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.1.132 with commit 77c41cdbe6bce476e08d3251c0d501feaf10a9f3
 	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.6.85 with commit 119dcafe36795a15ae53351cbbd6177aaf94ffef
 	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.12.21 with commit 29d91820184d5cbc70f3246d4911d96eaeb930d6
 	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.13.9 with commit d3d5b4b5ae263c3225db363ba08b937e2e2b0380
 	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.14 with commit 9740890ee20e01f99ff1dde84c63dcf089fabb98

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22005
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/route.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/16267a5036173d0173377545b4b6021b081d0933
 	https://git.kernel.org/stable/c/1bd12dfc058e1e68759d313d7727d68dbc1b8964
 	https://git.kernel.org/stable/c/596a883c4ce2d2e9c175f25b98fed3a1f33fea38
 	https://git.kernel.org/stable/c/77c41cdbe6bce476e08d3251c0d501feaf10a9f3
 	https://git.kernel.org/stable/c/119dcafe36795a15ae53351cbbd6177aaf94ffef
 	https://git.kernel.org/stable/c/29d91820184d5cbc70f3246d4911d96eaeb930d6
 	https://git.kernel.org/stable/c/d3d5b4b5ae263c3225db363ba08b937e2e2b0380
 	https://git.kernel.org/stable/c/9740890ee20e01f99ff1dde84c63dcf089fabb98
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22005: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

	fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything
	when it fails.

	Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh")
	moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()
	but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in
	case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak.

	Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the
	error path.

	Note that we can remove the fib6_nh_release() call in nh_create_ipv6()
	later in net-next.git.

	The Linux kernel CVE team has assigned CVE-2025-22005 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 5.4.292 with commit 16267a5036173d0173377545b4b6021b081d0933
	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 5.10.236 with commit 1bd12dfc058e1e68759d313d7727d68dbc1b8964
	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 5.15.180 with commit 596a883c4ce2d2e9c175f25b98fed3a1f33fea38
	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.1.132 with commit 77c41cdbe6bce476e08d3251c0d501feaf10a9f3
	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.6.85 with commit 119dcafe36795a15ae53351cbbd6177aaf94ffef
	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.12.21 with commit 29d91820184d5cbc70f3246d4911d96eaeb930d6
	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.13.9 with commit d3d5b4b5ae263c3225db363ba08b937e2e2b0380
	Issue introduced in 5.3 with commit 7dd73168e273938b9e9bb42ca51b0c27d807992b and fixed in 6.14 with commit 9740890ee20e01f99ff1dde84c63dcf089fabb98

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22005
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/route.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/16267a5036173d0173377545b4b6021b081d0933
	https://git.kernel.org/stable/c/1bd12dfc058e1e68759d313d7727d68dbc1b8964
	https://git.kernel.org/stable/c/596a883c4ce2d2e9c175f25b98fed3a1f33fea38
	https://git.kernel.org/stable/c/77c41cdbe6bce476e08d3251c0d501feaf10a9f3
	https://git.kernel.org/stable/c/119dcafe36795a15ae53351cbbd6177aaf94ffef
	https://git.kernel.org/stable/c/29d91820184d5cbc70f3246d4911d96eaeb930d6
	https://git.kernel.org/stable/c/d3d5b4b5ae263c3225db363ba08b937e2e2b0380
	https://git.kernel.org/stable/c/9740890ee20e01f99ff1dde84c63dcf089fabb98