cve/published/2025/CVE-2025-21959.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()

 Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
 collection confirm race"), `cpu` and `jiffies32` were introduced to
 the struct nf_conncount_tuple.

 The commit made nf_conncount_add() initialize `conn->cpu` and
 `conn->jiffies32` when allocating the struct.
 In contrast, count_tree() was not changed to initialize them.

 By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and
 traversal"), count_tree() was split and the relevant allocation
 code now resides in insert_tree().
 Initialize `conn->cpu` and `conn->jiffies32` in insert_tree().

 BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]
 BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143
  find_or_evict net/netfilter/nf_conncount.c:117 [inline]
  __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143
  count_tree net/netfilter/nf_conncount.c:438 [inline]
  nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521
  connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72
  __nft_match_eval net/netfilter/nft_compat.c:403 [inline]
  nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433
  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
  nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288
  nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
  nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663
  NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
  ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633
  ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669
  __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]
  __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983
  __netif_receive_skb_list net/core/dev.c:6035 [inline]
  netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126
  netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178
  xdp_recv_frames net/bpf/test_run.c:280 [inline]
  xdp_test_run_batch net/bpf/test_run.c:361 [inline]
  bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390
  bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316
  bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407
  __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813
  __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]
  __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]
  __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900
  ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358
  do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
  __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387
  do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412
  do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450
  entry_SYSENTER_compat_after_hwframe+0x84/0x8e

 Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4121 [inline]
  slab_alloc_node mm/slub.c:4164 [inline]
  kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171
  insert_tree net/netfilter/nf_conncount.c:372 [inline]
  count_tree net/netfilter/nf_conncount.c:450 [inline]
  nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521
  connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72
  __nft_match_eval net/netfilter/nft_compat.c:403 [inline]
  nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433
  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
  nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288
  nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
  nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663
  NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
  ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633
  ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669
  __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]
  __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983
  __netif_receive_skb_list net/core/dev.c:6035 [inline]
  netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126
  netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178
  xdp_recv_frames net/bpf/test_run.c:280 [inline]
  xdp_test_run_batch net/bpf/test_run.c:361 [inline]
  bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390
  bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316
  bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407
  __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813
  __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]
  __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]
  __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900
  ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358
  do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
  __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387
  do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412
  do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450
  entry_SYSENTER_compat_after_hwframe+0x84/0x8e

 The Linux kernel CVE team has assigned CVE-2025-21959 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 5.4.292 with commit f522229c5563b59b4240261e406779bba6754159
 	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 5.10.236 with commit 2a154ce766b995494e88d8d117fa82cc6b73dd87
 	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 5.15.180 with commit e8544a5a97bee3674e7cd6bf0f3a4af517fa9146
 	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.1.132 with commit a62a25c6ad58fae997f48a0749afeda1c252ae51
 	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.6.84 with commit fda50302a13701d47fbe01e1739c7a51114144fb
 	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.12.20 with commit db1e0c0856821c59a32ea3af79476bf20a6beeb2
 	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.13.8 with commit 2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc
 	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.14 with commit d653bfeb07ebb3499c403404c21ac58a16531607
 	Issue introduced in 4.14.92 with commit 75af3d78168e654a5cd8bbc4c774f97be836165f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21959
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/nf_conncount.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f522229c5563b59b4240261e406779bba6754159
 	https://git.kernel.org/stable/c/2a154ce766b995494e88d8d117fa82cc6b73dd87
 	https://git.kernel.org/stable/c/e8544a5a97bee3674e7cd6bf0f3a4af517fa9146
 	https://git.kernel.org/stable/c/a62a25c6ad58fae997f48a0749afeda1c252ae51
 	https://git.kernel.org/stable/c/fda50302a13701d47fbe01e1739c7a51114144fb
 	https://git.kernel.org/stable/c/db1e0c0856821c59a32ea3af79476bf20a6beeb2
 	https://git.kernel.org/stable/c/2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc
 	https://git.kernel.org/stable/c/d653bfeb07ebb3499c403404c21ac58a16531607
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()

	Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
	collection confirm race"), `cpu` and `jiffies32` were introduced to
	the struct nf_conncount_tuple.

	The commit made nf_conncount_add() initialize `conn->cpu` and
	`conn->jiffies32` when allocating the struct.
	In contrast, count_tree() was not changed to initialize them.

	By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and
	traversal"), count_tree() was split and the relevant allocation
	code now resides in insert_tree().
	Initialize `conn->cpu` and `conn->jiffies32` in insert_tree().

	BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]
	BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143
	find_or_evict net/netfilter/nf_conncount.c:117 [inline]
	__nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143
	count_tree net/netfilter/nf_conncount.c:438 [inline]
	nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521
	connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72
	__nft_match_eval net/netfilter/nft_compat.c:403 [inline]
	nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433
	expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
	nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288
	nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23
	nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
	nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
	nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663
	NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
	ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633
	ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669
	__netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]
	__netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983
	__netif_receive_skb_list net/core/dev.c:6035 [inline]
	netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126
	netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178
	xdp_recv_frames net/bpf/test_run.c:280 [inline]
	xdp_test_run_batch net/bpf/test_run.c:361 [inline]
	bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390
	bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316
	bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407
	__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813
	__do_sys_bpf kernel/bpf/syscall.c:5902 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5900 [inline]
	__ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900
	ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358
	do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
	__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387
	do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412
	do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450
	entry_SYSENTER_compat_after_hwframe+0x84/0x8e

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:4121 [inline]
	slab_alloc_node mm/slub.c:4164 [inline]
	kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171
	insert_tree net/netfilter/nf_conncount.c:372 [inline]
	count_tree net/netfilter/nf_conncount.c:450 [inline]
	nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521
	connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72
	__nft_match_eval net/netfilter/nft_compat.c:403 [inline]
	nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433
	expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
	nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288
	nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23
	nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
	nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
	nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663
	NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
	ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633
	ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669
	__netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]
	__netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983
	__netif_receive_skb_list net/core/dev.c:6035 [inline]
	netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126
	netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178
	xdp_recv_frames net/bpf/test_run.c:280 [inline]
	xdp_test_run_batch net/bpf/test_run.c:361 [inline]
	bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390
	bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316
	bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407
	__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813
	__do_sys_bpf kernel/bpf/syscall.c:5902 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5900 [inline]
	__ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900
	ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358
	do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
	__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387
	do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412
	do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450
	entry_SYSENTER_compat_after_hwframe+0x84/0x8e

	The Linux kernel CVE team has assigned CVE-2025-21959 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 5.4.292 with commit f522229c5563b59b4240261e406779bba6754159
	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 5.10.236 with commit 2a154ce766b995494e88d8d117fa82cc6b73dd87
	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 5.15.180 with commit e8544a5a97bee3674e7cd6bf0f3a4af517fa9146
	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.1.132 with commit a62a25c6ad58fae997f48a0749afeda1c252ae51
	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.6.84 with commit fda50302a13701d47fbe01e1739c7a51114144fb
	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.12.20 with commit db1e0c0856821c59a32ea3af79476bf20a6beeb2
	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.13.8 with commit 2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc
	Issue introduced in 4.18 with commit b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 and fixed in 6.14 with commit d653bfeb07ebb3499c403404c21ac58a16531607
	Issue introduced in 4.14.92 with commit 75af3d78168e654a5cd8bbc4c774f97be836165f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21959
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/nf_conncount.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f522229c5563b59b4240261e406779bba6754159
	https://git.kernel.org/stable/c/2a154ce766b995494e88d8d117fa82cc6b73dd87
	https://git.kernel.org/stable/c/e8544a5a97bee3674e7cd6bf0f3a4af517fa9146
	https://git.kernel.org/stable/c/a62a25c6ad58fae997f48a0749afeda1c252ae51
	https://git.kernel.org/stable/c/fda50302a13701d47fbe01e1739c7a51114144fb
	https://git.kernel.org/stable/c/db1e0c0856821c59a32ea3af79476bf20a6beeb2
	https://git.kernel.org/stable/c/2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc
	https://git.kernel.org/stable/c/d653bfeb07ebb3499c403404c21ac58a16531607