cve/published/2025/CVE-2025-21867.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21867: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()

 KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The
 cause of the issue was that eth_skb_pkt_type() accessed skb's data
 that didn't contain an Ethernet header. This occurs when
 bpf_prog_test_run_xdp() passes an invalid value as the user_data
 argument to bpf_test_init().

 Fix this by returning an error when user_data is less than ETH_HLEN in
 bpf_test_init(). Additionally, remove the check for "if (user_size >
 size)" as it is unnecessary.

 [1]
 BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
 BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
  eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
  eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
  __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635
  xdp_recv_frames net/bpf/test_run.c:272 [inline]
  xdp_test_run_batch net/bpf/test_run.c:361 [inline]
  bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390
  bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318
  bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371
  __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777
  __do_sys_bpf kernel/bpf/syscall.c:5866 [inline]
  __se_sys_bpf kernel/bpf/syscall.c:5864 [inline]
  __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864
  x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Uninit was created at:
  free_pages_prepare mm/page_alloc.c:1056 [inline]
  free_unref_page+0x156/0x1320 mm/page_alloc.c:2657
  __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838
  bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline]
  ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235
  bpf_map_free kernel/bpf/syscall.c:838 [inline]
  bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862
  process_one_work kernel/workqueue.c:3229 [inline]
  process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310
  worker_thread+0xedf/0x1550 kernel/workqueue.c:3391
  kthread+0x535/0x6b0 kernel/kthread.c:389
  ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014

 The Linux kernel CVE team has assigned CVE-2025-21867 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.1.130 with commit f615fccfc689cb48977d275ac2e391297b52392b
 	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.6.80 with commit d56d8a23d95100b65f40438639dd82db2af81c11
 	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.12.17 with commit 972bafed67ca73ad9a56448384281eb5fd5c0ba3
 	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.13.5 with commit 1a9e1284e87d59b1303b69d1808d310821d6e5f7
 	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.14 with commit 6b3d638ca897e099fa99bd6d02189d3176f80a47

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21867
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bpf/test_run.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f615fccfc689cb48977d275ac2e391297b52392b
 	https://git.kernel.org/stable/c/d56d8a23d95100b65f40438639dd82db2af81c11
 	https://git.kernel.org/stable/c/972bafed67ca73ad9a56448384281eb5fd5c0ba3
 	https://git.kernel.org/stable/c/1a9e1284e87d59b1303b69d1808d310821d6e5f7
 	https://git.kernel.org/stable/c/6b3d638ca897e099fa99bd6d02189d3176f80a47
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21867: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()

	KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The
	cause of the issue was that eth_skb_pkt_type() accessed skb's data
	that didn't contain an Ethernet header. This occurs when
	bpf_prog_test_run_xdp() passes an invalid value as the user_data
	argument to bpf_test_init().

	Fix this by returning an error when user_data is less than ETH_HLEN in
	bpf_test_init(). Additionally, remove the check for "if (user_size >
	size)" as it is unnecessary.

	[1]
	BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
	BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
	eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
	eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
	__xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635
	xdp_recv_frames net/bpf/test_run.c:272 [inline]
	xdp_test_run_batch net/bpf/test_run.c:361 [inline]
	bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390
	bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318
	bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371
	__sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777
	__do_sys_bpf kernel/bpf/syscall.c:5866 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5864 [inline]
	__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864
	x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Uninit was created at:
	free_pages_prepare mm/page_alloc.c:1056 [inline]
	free_unref_page+0x156/0x1320 mm/page_alloc.c:2657
	__free_pages+0xa3/0x1b0 mm/page_alloc.c:4838
	bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline]
	ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235
	bpf_map_free kernel/bpf/syscall.c:838 [inline]
	bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862
	process_one_work kernel/workqueue.c:3229 [inline]
	process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310
	worker_thread+0xedf/0x1550 kernel/workqueue.c:3391
	kthread+0x535/0x6b0 kernel/kthread.c:389
	ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

	CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014

	The Linux kernel CVE team has assigned CVE-2025-21867 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.1.130 with commit f615fccfc689cb48977d275ac2e391297b52392b
	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.6.80 with commit d56d8a23d95100b65f40438639dd82db2af81c11
	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.12.17 with commit 972bafed67ca73ad9a56448384281eb5fd5c0ba3
	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.13.5 with commit 1a9e1284e87d59b1303b69d1808d310821d6e5f7
	Issue introduced in 5.18 with commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and fixed in 6.14 with commit 6b3d638ca897e099fa99bd6d02189d3176f80a47

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21867
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bpf/test_run.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f615fccfc689cb48977d275ac2e391297b52392b
	https://git.kernel.org/stable/c/d56d8a23d95100b65f40438639dd82db2af81c11
	https://git.kernel.org/stable/c/972bafed67ca73ad9a56448384281eb5fd5c0ba3
	https://git.kernel.org/stable/c/1a9e1284e87d59b1303b69d1808d310821d6e5f7
	https://git.kernel.org/stable/c/6b3d638ca897e099fa99bd6d02189d3176f80a47