| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-21716: vxlan: Fix uninit-value in vxlan_vnifilter_dump() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| vxlan: Fix uninit-value in vxlan_vnifilter_dump() |
| |
| KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. |
| |
| If the length of the netlink message payload is less than |
| sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes |
| beyond the message. This can lead to uninit-value access. Fix this by |
| returning an error in such situations. |
| |
| [1] |
| BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 |
| vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 |
| rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786 |
| netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317 |
| __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432 |
| netlink_dump_start include/linux/netlink.h:340 [inline] |
| rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline] |
| rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882 |
| netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542 |
| rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944 |
| netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] |
| netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347 |
| netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891 |
| sock_sendmsg_nosec net/socket.c:711 [inline] |
| __sock_sendmsg+0x330/0x3d0 net/socket.c:726 |
| ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 |
| ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 |
| __sys_sendmsg net/socket.c:2669 [inline] |
| __do_sys_sendmsg net/socket.c:2674 [inline] |
| __se_sys_sendmsg net/socket.c:2672 [inline] |
| __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 |
| x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 |
| do_syscall_x64 arch/x86/entry/common.c:52 [inline] |
| do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 |
| entry_SYSCALL_64_after_hwframe+0x77/0x7f |
| |
| Uninit was created at: |
| slab_post_alloc_hook mm/slub.c:4110 [inline] |
| slab_alloc_node mm/slub.c:4153 [inline] |
| kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205 |
| kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587 |
| __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678 |
| alloc_skb include/linux/skbuff.h:1323 [inline] |
| netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196 |
| netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866 |
| sock_sendmsg_nosec net/socket.c:711 [inline] |
| __sock_sendmsg+0x330/0x3d0 net/socket.c:726 |
| ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 |
| ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 |
| __sys_sendmsg net/socket.c:2669 [inline] |
| __do_sys_sendmsg net/socket.c:2674 [inline] |
| __se_sys_sendmsg net/socket.c:2672 [inline] |
| __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 |
| x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 |
| do_syscall_x64 arch/x86/entry/common.c:52 [inline] |
| do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 |
| entry_SYSCALL_64_after_hwframe+0x77/0x7f |
| |
| CPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29 |
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 |
| |
| The Linux kernel CVE team has assigned CVE-2025-21716 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.18 with commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 and fixed in 6.1.129 with commit cb1de9309a48cc5b771115781eec05075fd67039 |
| Issue introduced in 5.18 with commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 and fixed in 6.6.76 with commit a84d511165d6ba7f331b90ae6b6ce180ec534daa |
| Issue introduced in 5.18 with commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 and fixed in 6.12.13 with commit f554bce488605d2f70e06eeab5e4d2448c813713 |
| Issue introduced in 5.18 with commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 and fixed in 6.13.2 with commit 1693d1fade71646a0731b6b213298cb443d186ea |
| Issue introduced in 5.18 with commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 and fixed in 6.14 with commit 5066293b9b7046a906eff60e3949a887ae185a43 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-21716 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/net/vxlan/vxlan_vnifilter.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/cb1de9309a48cc5b771115781eec05075fd67039 |
| https://git.kernel.org/stable/c/a84d511165d6ba7f331b90ae6b6ce180ec534daa |
| https://git.kernel.org/stable/c/f554bce488605d2f70e06eeab5e4d2448c813713 |
| https://git.kernel.org/stable/c/1693d1fade71646a0731b6b213298cb443d186ea |
| https://git.kernel.org/stable/c/5066293b9b7046a906eff60e3949a887ae185a43 |
