cve/published/2025/CVE-2025-21877.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21877: usbnet: gl620a: fix endpoint checking in genelink_bind()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usbnet: gl620a: fix endpoint checking in genelink_bind()

 Syzbot reports [1] a warning in usb_submit_urb() triggered by
 inconsistencies between expected and actually present endpoints
 in gl620a driver. Since genelink_bind() does not properly
 verify whether specified eps are in fact provided by the device,
 in this case, an artificially manufactured one, one may get a
 mismatch.

 Fix the issue by resorting to a usbnet utility function
 usbnet_get_endpoints(), usually reserved for this very problem.
 Check for endpoints and return early before proceeding further if
 any are missing.

 [1] Syzbot report:
 usb 5-1: Manufacturer: syz
 usb 5-1: SerialNumber: syz
 usb 5-1: config 0 descriptor??
 gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ...
 ------------[ cut here ]------------
 usb 5-1: BOGUS urb xfer, pipe 3 != type 1
 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
 Modules linked in:
 CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
 Workqueue: mld mld_ifc_work
 RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
 ...
 Call Trace:
  <TASK>
  usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467
  __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
  netdev_start_xmit include/linux/netdevice.h:5011 [inline]
  xmit_one net/core/dev.c:3590 [inline]
  dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606
  sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343
  __dev_xmit_skb net/core/dev.c:3827 [inline]
  __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400
  dev_queue_xmit include/linux/netdevice.h:3168 [inline]
  neigh_resolve_output net/core/neighbour.c:1514 [inline]
  neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494
  neigh_output include/net/neighbour.h:539 [inline]
  ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141
  __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
  ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
  NF_HOOK_COND include/linux/netfilter.h:303 [inline]
  ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
  dst_output include/net/dst.h:450 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  NF_HOOK include/linux/netfilter.h:308 [inline]
  mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819
  mld_send_cr net/ipv6/mcast.c:2120 [inline]
  mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651
  process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
  process_scheduled_works kernel/workqueue.c:3310 [inline]
  worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
  kthread+0x2c1/0x3a0 kernel/kthread.c:389
  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
  </TASK>

 The Linux kernel CVE team has assigned CVE-2025-21877 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.4.291 with commit 5f2dbabbce04b1ffcd6d8d07564adb94db577536
 	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.10.235 with commit 24dd971104057c8828d420a48e0a5af6e6f30d3e
 	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.15.179 with commit 9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc
 	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.1.130 with commit 67ebc3391c8377738e97a43374054d9718fdb6e4
 	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.6.81 with commit a2ee5e55b50a97d13617c8653482c0ad4decff8c
 	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.12.18 with commit 4e8b8d43373bf837be159366f0192502f97ec7a5
 	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.13.6 with commit ded25730c96949cb8b048b29c557e38569124943
 	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.14 with commit 1cf9631d836b289bd5490776551961c883ae8a4f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21877
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/usb/gl620a.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536
 	https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e
 	https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc
 	https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4
 	https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c
 	https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5
 	https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943
 	https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21877: usbnet: gl620a: fix endpoint checking in genelink_bind()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usbnet: gl620a: fix endpoint checking in genelink_bind()

	Syzbot reports [1] a warning in usb_submit_urb() triggered by
	inconsistencies between expected and actually present endpoints
	in gl620a driver. Since genelink_bind() does not properly
	verify whether specified eps are in fact provided by the device,
	in this case, an artificially manufactured one, one may get a
	mismatch.

	Fix the issue by resorting to a usbnet utility function
	usbnet_get_endpoints(), usually reserved for this very problem.
	Check for endpoints and return early before proceeding further if
	any are missing.

	[1] Syzbot report:
	usb 5-1: Manufacturer: syz
	usb 5-1: SerialNumber: syz
	usb 5-1: config 0 descriptor??
	gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ...
	------------[ cut here ]------------
	usb 5-1: BOGUS urb xfer, pipe 3 != type 1
	WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
	Modules linked in:
	CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
	Workqueue: mld mld_ifc_work
	RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
	...
	Call Trace:
	<TASK>
	usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467
	__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
	netdev_start_xmit include/linux/netdevice.h:5011 [inline]
	xmit_one net/core/dev.c:3590 [inline]
	dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606
	sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343
	__dev_xmit_skb net/core/dev.c:3827 [inline]
	__dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400
	dev_queue_xmit include/linux/netdevice.h:3168 [inline]
	neigh_resolve_output net/core/neighbour.c:1514 [inline]
	neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494
	neigh_output include/net/neighbour.h:539 [inline]
	ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141
	__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
	ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
	NF_HOOK_COND include/linux/netfilter.h:303 [inline]
	ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
	dst_output include/net/dst.h:450 [inline]
	NF_HOOK include/linux/netfilter.h:314 [inline]
	NF_HOOK include/linux/netfilter.h:308 [inline]
	mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819
	mld_send_cr net/ipv6/mcast.c:2120 [inline]
	mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651
	process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
	process_scheduled_works kernel/workqueue.c:3310 [inline]
	worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
	kthread+0x2c1/0x3a0 kernel/kthread.c:389
	ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
	</TASK>

	The Linux kernel CVE team has assigned CVE-2025-21877 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.4.291 with commit 5f2dbabbce04b1ffcd6d8d07564adb94db577536
	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.10.235 with commit 24dd971104057c8828d420a48e0a5af6e6f30d3e
	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.15.179 with commit 9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc
	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.1.130 with commit 67ebc3391c8377738e97a43374054d9718fdb6e4
	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.6.81 with commit a2ee5e55b50a97d13617c8653482c0ad4decff8c
	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.12.18 with commit 4e8b8d43373bf837be159366f0192502f97ec7a5
	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.13.6 with commit ded25730c96949cb8b048b29c557e38569124943
	Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.14 with commit 1cf9631d836b289bd5490776551961c883ae8a4f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21877
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/usb/gl620a.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536
	https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e
	https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc
	https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4
	https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c
	https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5
	https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943
	https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f