Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2025 / CVE-2025-21706.json
blob: 167b9a814499045113adc120171314a743c3769c [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith the in-kernel path-manager, it is possible to change the 'fullmesh'\nflag. The code in mptcp_pm_nl_fullmesh() expects to change it only on\n'subflow' endpoints, to recreate more or less subflows using the linked\naddress.\n\nUnfortunately, the set_flags() hook was a bit more permissive, and\nallowed 'implicit' endpoints to get the 'fullmesh' flag while it is not\nallowed before.\n\nThat's what syzbot found, triggering the following warning:\n\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n Modules linked in:\n CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48\n RSP: 0018:ffffc9000d307240 EFLAGS: 00010293\n RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e\n R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0\n R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d\n FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n <TASK>\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n ___sys_sendmsg net/socket.c:2637 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2669\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f5fe8785d29\n Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29\n RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007\n RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000\n---truncated---"
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/mptcp/pm_netlink.c"
],
"versions": [
{
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"lessThan": "22b0734c9401a74ed4ebd9e8ef0da33e493852eb",
"status": "affected",
"versionType": "git"
},
{
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"lessThan": "de3b8d41d2547452c4cafb146d003fa4689fbaf2",
"status": "affected",
"versionType": "git"
},
{
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"lessThan": "8ac344cbd84fda75e05e1f445f7f8fb24dc175e1",
"status": "affected",
"versionType": "git"
},
{
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"lessThan": "9e3d61620a3cd033319553b980ff3a350adbe1bc",
"status": "affected",
"versionType": "git"
},
{
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"lessThan": "1bb0d1348546ad059f55c93def34e67cb2a034a6",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/mptcp/pm_netlink.c"
],
"versions": [
{
"version": "5.18",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.18",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.129",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.78",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.13",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13.2",
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.14",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18",
"versionEndExcluding": "6.1.129"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18",
"versionEndExcluding": "6.6.78"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18",
"versionEndExcluding": "6.12.13"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18",
"versionEndExcluding": "6.13.2"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18",
"versionEndExcluding": "6.14"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb"
},
{
"url": "https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2"
},
{
"url": "https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1"
},
{
"url": "https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc"
},
{
"url": "https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6"
}
],
"title": "mptcp: pm: only set fullmesh for subflow endp",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2025-21706",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}