cve/published/2025/CVE-2025-37961.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipvs: fix uninit-value for saddr in do_output_route4

 syzbot reports for uninit-value for the saddr argument [1].
 commit 4754957f04f5 ("ipvs: do not use random local source address for
 tunnels") already implies that the input value of saddr
 should be ignored but the code is still reading it which can prevent
 to connect the route. Fix it by changing the argument to ret_saddr.

 [1]
 BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147
  do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147
  __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330
  ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136
  ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626
  nf_hook include/linux/netfilter.h:269 [inline]
  __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118
  ip_local_out net/ipv4/ip_output.c:127 [inline]
  ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501
  udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195
  udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483
  inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851
  sock_sendmsg_nosec net/socket.c:712 [inline]
  __sock_sendmsg+0x267/0x380 net/socket.c:727
  ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620
  __sys_sendmmsg+0x41d/0x880 net/socket.c:2702
  __compat_sys_sendmmsg net/compat.c:360 [inline]
  __do_compat_sys_sendmmsg net/compat.c:367 [inline]
  __se_compat_sys_sendmmsg net/compat.c:364 [inline]
  __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364
  ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346
  do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
  __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306
  do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
  do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
  entry_SYSENTER_compat_after_hwframe+0x84/0x8e

 Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4167 [inline]
  slab_alloc_node mm/slub.c:4210 [inline]
  __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367
  kmalloc_noprof include/linux/slab.h:905 [inline]
  ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline]
  __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323
  ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136
  ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626
  nf_hook include/linux/netfilter.h:269 [inline]
  __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118
  ip_local_out net/ipv4/ip_output.c:127 [inline]
  ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501
  udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195
  udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483
  inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851
  sock_sendmsg_nosec net/socket.c:712 [inline]
  __sock_sendmsg+0x267/0x380 net/socket.c:727
  ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620
  __sys_sendmmsg+0x41d/0x880 net/socket.c:2702
  __compat_sys_sendmmsg net/compat.c:360 [inline]
  __do_compat_sys_sendmmsg net/compat.c:367 [inline]
  __se_compat_sys_sendmmsg net/compat.c:364 [inline]
  __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364
  ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346
  do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
  __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306
  do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
  do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
  entry_SYSENTER_compat_after_hwframe+0x84/0x8e

 CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef)
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025

 The Linux kernel CVE team has assigned CVE-2025-37961 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.1.139 with commit 7d0032112a0380d0b8d7c9005f621928a9b9fc76
 	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.6.91 with commit adbc8cc1162951cb152ed7f147d5fbd35ce3e62f
 	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.12.29 with commit 0160ac84fb03a0bd8dce8a42cb25bfaeedd110f4
 	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.14.7 with commit a3a1b784791a3cbfc6e05c4d8a3c321ac5136e25
 	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.15 with commit e34090d7214e0516eb8722aee295cb2507317c07
 	Issue introduced in 3.10.91 with commit 212c45ac20229c1752dd56fa38e9a8d57127974b
 	Issue introduced in 3.12.50 with commit 2f0c79dd1e9d55a279b0a8e363717b7a896fe7b4
 	Issue introduced in 3.14.55 with commit cc2b6a186da7580d4557e7175c5ab4b18d9a57f0
 	Issue introduced in 3.18.23 with commit e89e653311ac2c9f37ceb778212ae4dbe1104091
 	Issue introduced in 4.1.11 with commit f1d62fb20245bc89d6ba93d829763450250a592b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37961
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/ipvs/ip_vs_xmit.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7d0032112a0380d0b8d7c9005f621928a9b9fc76
 	https://git.kernel.org/stable/c/adbc8cc1162951cb152ed7f147d5fbd35ce3e62f
 	https://git.kernel.org/stable/c/0160ac84fb03a0bd8dce8a42cb25bfaeedd110f4
 	https://git.kernel.org/stable/c/a3a1b784791a3cbfc6e05c4d8a3c321ac5136e25
 	https://git.kernel.org/stable/c/e34090d7214e0516eb8722aee295cb2507317c07
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipvs: fix uninit-value for saddr in do_output_route4

	syzbot reports for uninit-value for the saddr argument [1].
	commit 4754957f04f5 ("ipvs: do not use random local source address for
	tunnels") already implies that the input value of saddr
	should be ignored but the code is still reading it which can prevent
	to connect the route. Fix it by changing the argument to ret_saddr.

	[1]
	BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147
	do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147
	__ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330
	ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136
	ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063
	nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
	nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626
	nf_hook include/linux/netfilter.h:269 [inline]
	__ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118
	ip_local_out net/ipv4/ip_output.c:127 [inline]
	ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501
	udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195
	udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483
	inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851
	sock_sendmsg_nosec net/socket.c:712 [inline]
	__sock_sendmsg+0x267/0x380 net/socket.c:727
	____sys_sendmsg+0x91b/0xda0 net/socket.c:2566
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620
	__sys_sendmmsg+0x41d/0x880 net/socket.c:2702
	__compat_sys_sendmmsg net/compat.c:360 [inline]
	__do_compat_sys_sendmmsg net/compat.c:367 [inline]
	__se_compat_sys_sendmmsg net/compat.c:364 [inline]
	__ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364
	ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346
	do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
	__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306
	do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
	do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
	entry_SYSENTER_compat_after_hwframe+0x84/0x8e

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:4167 [inline]
	slab_alloc_node mm/slub.c:4210 [inline]
	__kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367
	kmalloc_noprof include/linux/slab.h:905 [inline]
	ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline]
	__ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323
	ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136
	ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063
	nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
	nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626
	nf_hook include/linux/netfilter.h:269 [inline]
	__ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118
	ip_local_out net/ipv4/ip_output.c:127 [inline]
	ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501
	udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195
	udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483
	inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851
	sock_sendmsg_nosec net/socket.c:712 [inline]
	__sock_sendmsg+0x267/0x380 net/socket.c:727
	____sys_sendmsg+0x91b/0xda0 net/socket.c:2566
	___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620
	__sys_sendmmsg+0x41d/0x880 net/socket.c:2702
	__compat_sys_sendmmsg net/compat.c:360 [inline]
	__do_compat_sys_sendmmsg net/compat.c:367 [inline]
	__se_compat_sys_sendmmsg net/compat.c:364 [inline]
	__ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364
	ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346
	do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
	__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306
	do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
	do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
	entry_SYSENTER_compat_after_hwframe+0x84/0x8e

	CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef)
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025

	The Linux kernel CVE team has assigned CVE-2025-37961 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.1.139 with commit 7d0032112a0380d0b8d7c9005f621928a9b9fc76
	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.6.91 with commit adbc8cc1162951cb152ed7f147d5fbd35ce3e62f
	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.12.29 with commit 0160ac84fb03a0bd8dce8a42cb25bfaeedd110f4
	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.14.7 with commit a3a1b784791a3cbfc6e05c4d8a3c321ac5136e25
	Issue introduced in 4.2 with commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd and fixed in 6.15 with commit e34090d7214e0516eb8722aee295cb2507317c07
	Issue introduced in 3.10.91 with commit 212c45ac20229c1752dd56fa38e9a8d57127974b
	Issue introduced in 3.12.50 with commit 2f0c79dd1e9d55a279b0a8e363717b7a896fe7b4
	Issue introduced in 3.14.55 with commit cc2b6a186da7580d4557e7175c5ab4b18d9a57f0
	Issue introduced in 3.18.23 with commit e89e653311ac2c9f37ceb778212ae4dbe1104091
	Issue introduced in 4.1.11 with commit f1d62fb20245bc89d6ba93d829763450250a592b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37961
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/ipvs/ip_vs_xmit.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7d0032112a0380d0b8d7c9005f621928a9b9fc76
	https://git.kernel.org/stable/c/adbc8cc1162951cb152ed7f147d5fbd35ce3e62f
	https://git.kernel.org/stable/c/0160ac84fb03a0bd8dce8a42cb25bfaeedd110f4
	https://git.kernel.org/stable/c/a3a1b784791a3cbfc6e05c4d8a3c321ac5136e25
	https://git.kernel.org/stable/c/e34090d7214e0516eb8722aee295cb2507317c07