cve/published/2025/CVE-2025-21705.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21705: mptcp: handle fastopen disconnect correctly

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mptcp: handle fastopen disconnect correctly

 Syzbot was able to trigger a data stream corruption:

   WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
   Modules linked in:
   CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0
   Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
   RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
   Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07
   RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293
   RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000
   RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
   RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928
   R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000
   R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000
   FS:  00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
   Call Trace:
    <TASK>
    __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074
    mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493
    release_sock+0x1aa/0x1f0 net/core/sock.c:3640
    inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]
    __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703
    mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755
    mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830
    sock_sendmsg_nosec net/socket.c:711 [inline]
    __sock_sendmsg+0x1a6/0x270 net/socket.c:726
    ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
    ___sys_sendmsg net/socket.c:2637 [inline]
    __sys_sendmsg+0x269/0x350 net/socket.c:2669
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f
   RIP: 0033:0x7f6e86ebfe69
   Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
   RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
   RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69
   RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003
   RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000
   R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc
   R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508
    </TASK>

 The root cause is the bad handling of disconnect() generated internally
 by the MPTCP protocol in case of connect FASTOPEN errors.

 Address the issue increasing the socket disconnect counter even on such
 a case, to allow other threads waiting on the same socket lock to
 properly error out.

 The Linux kernel CVE team has assigned CVE-2025-21705 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.36 with commit b7bb71dfb541df376c21c24451369fea83c4f327 and fixed in 6.1.129 with commit 73e268b4be27b36ae68ea10755cb003f43b38884
 	Issue introduced in 6.4 with commit c2b2ae3925b65070adb27d5a31a31c376f26dec7 and fixed in 6.6.76 with commit 0263fb2e7b7b88075a5d86e74c4384ee4400828d
 	Issue introduced in 6.4 with commit c2b2ae3925b65070adb27d5a31a31c376f26dec7 and fixed in 6.12.13 with commit 84ac44d9fed3a56440971cbd7600a02b70b5b32a
 	Issue introduced in 6.4 with commit c2b2ae3925b65070adb27d5a31a31c376f26dec7 and fixed in 6.13.2 with commit 6ec806762318a4adde0ea63342d42d0feae95079
 	Issue introduced in 6.4 with commit c2b2ae3925b65070adb27d5a31a31c376f26dec7 and fixed in 6.14 with commit 619af16b3b57a3a4ee50b9a30add9ff155541e71
 	Issue introduced in 6.3.10 with commit 9c998d59a6b1359ad43d1ef38538af5f55fd01a2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21705
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mptcp/protocol.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/73e268b4be27b36ae68ea10755cb003f43b38884
 	https://git.kernel.org/stable/c/0263fb2e7b7b88075a5d86e74c4384ee4400828d
 	https://git.kernel.org/stable/c/84ac44d9fed3a56440971cbd7600a02b70b5b32a
 	https://git.kernel.org/stable/c/6ec806762318a4adde0ea63342d42d0feae95079
 	https://git.kernel.org/stable/c/619af16b3b57a3a4ee50b9a30add9ff155541e71
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21705: mptcp: handle fastopen disconnect correctly

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mptcp: handle fastopen disconnect correctly

	Syzbot was able to trigger a data stream corruption:

	WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
	Modules linked in:
	CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0
	Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
	RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
	Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07
	RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293
	RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
	RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928
	R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000
	R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000
	FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	__mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074
	mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493
	release_sock+0x1aa/0x1f0 net/core/sock.c:3640
	inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]
	__inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703
	mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755
	mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830
	sock_sendmsg_nosec net/socket.c:711 [inline]
	__sock_sendmsg+0x1a6/0x270 net/socket.c:726
	____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
	___sys_sendmsg net/socket.c:2637 [inline]
	__sys_sendmsg+0x269/0x350 net/socket.c:2669
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7f6e86ebfe69
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
	RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69
	RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003
	RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc
	R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508
	</TASK>

	The root cause is the bad handling of disconnect() generated internally
	by the MPTCP protocol in case of connect FASTOPEN errors.

	Address the issue increasing the socket disconnect counter even on such
	a case, to allow other threads waiting on the same socket lock to
	properly error out.

	The Linux kernel CVE team has assigned CVE-2025-21705 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.36 with commit b7bb71dfb541df376c21c24451369fea83c4f327 and fixed in 6.1.129 with commit 73e268b4be27b36ae68ea10755cb003f43b38884
	Issue introduced in 6.4 with commit c2b2ae3925b65070adb27d5a31a31c376f26dec7 and fixed in 6.6.76 with commit 0263fb2e7b7b88075a5d86e74c4384ee4400828d
	Issue introduced in 6.4 with commit c2b2ae3925b65070adb27d5a31a31c376f26dec7 and fixed in 6.12.13 with commit 84ac44d9fed3a56440971cbd7600a02b70b5b32a
	Issue introduced in 6.4 with commit c2b2ae3925b65070adb27d5a31a31c376f26dec7 and fixed in 6.13.2 with commit 6ec806762318a4adde0ea63342d42d0feae95079
	Issue introduced in 6.4 with commit c2b2ae3925b65070adb27d5a31a31c376f26dec7 and fixed in 6.14 with commit 619af16b3b57a3a4ee50b9a30add9ff155541e71
	Issue introduced in 6.3.10 with commit 9c998d59a6b1359ad43d1ef38538af5f55fd01a2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21705
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mptcp/protocol.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/73e268b4be27b36ae68ea10755cb003f43b38884
	https://git.kernel.org/stable/c/0263fb2e7b7b88075a5d86e74c4384ee4400828d
	https://git.kernel.org/stable/c/84ac44d9fed3a56440971cbd7600a02b70b5b32a
	https://git.kernel.org/stable/c/6ec806762318a4adde0ea63342d42d0feae95079
	https://git.kernel.org/stable/c/619af16b3b57a3a4ee50b9a30add9ff155541e71