cve/published/2025/CVE-2025-21706.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21706: mptcp: pm: only set fullmesh for subflow endp

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mptcp: pm: only set fullmesh for subflow endp

 With the in-kernel path-manager, it is possible to change the 'fullmesh'
 flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on
 'subflow' endpoints, to recreate more or less subflows using the linked
 address.

 Unfortunately, the set_flags() hook was a bit more permissive, and
 allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not
 allowed before.

 That's what syzbot found, triggering the following warning:

   WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]
   WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]
   WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]
   WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064
   Modules linked in:
   CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0
   Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
   RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]
   RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]
   RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]
   RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064
   Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48
   RSP: 0018:ffffc9000d307240 EFLAGS: 00010293
   RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000
   RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
   RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e
   R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0
   R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d
   FS:  00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
   Call Trace:
    <TASK>
    genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
    genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
    genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
    netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542
    genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
    netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
    netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347
    netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891
    sock_sendmsg_nosec net/socket.c:711 [inline]
    __sock_sendmsg+0x221/0x270 net/socket.c:726
    ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
    ___sys_sendmsg net/socket.c:2637 [inline]
    __sys_sendmsg+0x269/0x350 net/socket.c:2669
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f
   RIP: 0033:0x7f5fe8785d29
   Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
   RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
   RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29
   RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007
   RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000
   R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
   R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 00000000000011f4
    </TASK>

 Here, syzbot managed to set the 'fullmesh' flag on an 'implicit' and
 used -- according to 'id_avail_bitmap' -- endpoint, causing the PM to
 try decrement the local_addr_used counter which is only incremented for
 the 'subflow' endpoint.

 Note that 'no type' endpoints -- not 'subflow', 'signal', 'implicit' --
 are fine, because their ID will not be marked as used in the 'id_avail'
 bitmap, and setting 'fullmesh' can help forcing the creation of subflow
 when receiving an ADD_ADDR.

 The Linux kernel CVE team has assigned CVE-2025-21706 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.1.129 with commit 22b0734c9401a74ed4ebd9e8ef0da33e493852eb
 	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.6.78 with commit de3b8d41d2547452c4cafb146d003fa4689fbaf2
 	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.12.13 with commit 8ac344cbd84fda75e05e1f445f7f8fb24dc175e1
 	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.13.2 with commit 9e3d61620a3cd033319553b980ff3a350adbe1bc
 	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.14 with commit 1bb0d1348546ad059f55c93def34e67cb2a034a6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21706
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mptcp/pm_netlink.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb
 	https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2
 	https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1
 	https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc
 	https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21706: mptcp: pm: only set fullmesh for subflow endp

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mptcp: pm: only set fullmesh for subflow endp

	With the in-kernel path-manager, it is possible to change the 'fullmesh'
	flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on
	'subflow' endpoints, to recreate more or less subflows using the linked
	address.

	Unfortunately, the set_flags() hook was a bit more permissive, and
	allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not
	allowed before.

	That's what syzbot found, triggering the following warning:

	WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]
	WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]
	WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]
	WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064
	Modules linked in:
	CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0
	Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
	RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]
	RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]
	RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]
	RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064
	Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48
	RSP: 0018:ffffc9000d307240 EFLAGS: 00010293
	RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
	RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e
	R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0
	R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d
	FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
	genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
	genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
	netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542
	genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
	netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
	netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347
	netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891
	sock_sendmsg_nosec net/socket.c:711 [inline]
	__sock_sendmsg+0x221/0x270 net/socket.c:726
	____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
	___sys_sendmsg net/socket.c:2637 [inline]
	__sys_sendmsg+0x269/0x350 net/socket.c:2669
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7f5fe8785d29
	Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
	RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29
	RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007
	RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
	R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 00000000000011f4
	</TASK>

	Here, syzbot managed to set the 'fullmesh' flag on an 'implicit' and
	used -- according to 'id_avail_bitmap' -- endpoint, causing the PM to
	try decrement the local_addr_used counter which is only incremented for
	the 'subflow' endpoint.

	Note that 'no type' endpoints -- not 'subflow', 'signal', 'implicit' --
	are fine, because their ID will not be marked as used in the 'id_avail'
	bitmap, and setting 'fullmesh' can help forcing the creation of subflow
	when receiving an ADD_ADDR.

	The Linux kernel CVE team has assigned CVE-2025-21706 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.1.129 with commit 22b0734c9401a74ed4ebd9e8ef0da33e493852eb
	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.6.78 with commit de3b8d41d2547452c4cafb146d003fa4689fbaf2
	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.12.13 with commit 8ac344cbd84fda75e05e1f445f7f8fb24dc175e1
	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.13.2 with commit 9e3d61620a3cd033319553b980ff3a350adbe1bc
	Issue introduced in 5.18 with commit 73c762c1f07dacba4fd1cefd15e24b419d42320d and fixed in 6.14 with commit 1bb0d1348546ad059f55c93def34e67cb2a034a6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21706
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mptcp/pm_netlink.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb
	https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2
	https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1
	https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc
	https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6