cve/published/2025/CVE-2025-21791.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21791: vrf: use RCU protection in l3mdev_l3_out()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 vrf: use RCU protection in l3mdev_l3_out()

 l3mdev_l3_out() can be called without RCU being held:

 raw_sendmsg()
  ip_push_pending_frames()
   ip_send_skb()
    ip_local_out()
     __ip_local_out()
      l3mdev_ip_out()

 Add rcu_read_lock() / rcu_read_unlock() pair to avoid
 a potential UAF.

 The Linux kernel CVE team has assigned CVE-2025-21791 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 5.4.291 with commit 6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e
 	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 5.10.235 with commit 20a3489b396764cc9376e32a9172bee26a89dc3b
 	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 5.15.179 with commit 5bb4228c32261d06e4fbece37ec3828bcc005b6b
 	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.1.129 with commit c7574740be8ce68a57d0aece24987b9be2114c3c
 	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.6.79 with commit c40cb5c03e37552d6eff963187109e2c3f78ef6f
 	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.12.16 with commit 022cac1c693add610ae76ede03adf4d9d5a2cf21
 	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.13.4 with commit 7b81425b517accefd46bee854d94954f5c57e019
 	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.14 with commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21791
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/net/l3mdev.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e
 	https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b
 	https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b
 	https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c
 	https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f
 	https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21
 	https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019
 	https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21791: vrf: use RCU protection in l3mdev_l3_out()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	vrf: use RCU protection in l3mdev_l3_out()

	l3mdev_l3_out() can be called without RCU being held:

	raw_sendmsg()
	ip_push_pending_frames()
	ip_send_skb()
	ip_local_out()
	__ip_local_out()
	l3mdev_ip_out()

	Add rcu_read_lock() / rcu_read_unlock() pair to avoid
	a potential UAF.

	The Linux kernel CVE team has assigned CVE-2025-21791 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 5.4.291 with commit 6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e
	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 5.10.235 with commit 20a3489b396764cc9376e32a9172bee26a89dc3b
	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 5.15.179 with commit 5bb4228c32261d06e4fbece37ec3828bcc005b6b
	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.1.129 with commit c7574740be8ce68a57d0aece24987b9be2114c3c
	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.6.79 with commit c40cb5c03e37552d6eff963187109e2c3f78ef6f
	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.12.16 with commit 022cac1c693add610ae76ede03adf4d9d5a2cf21
	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.13.4 with commit 7b81425b517accefd46bee854d94954f5c57e019
	Issue introduced in 4.9 with commit a8e3e1a9f02094145580ea7920c6a1d9aabd5539 and fixed in 6.14 with commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21791
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/net/l3mdev.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e
	https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b
	https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b
	https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c
	https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f
	https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21
	https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019
	https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773