admin/cve
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2025-11-28 18:48:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
cve/2025/CVE-2025-21960.md
0xMarcio cb00e1339f Update CVE list 2025-09-29 21:09
2025-09-29 21:09:30 +02:00

3.2 KiB
Raw Blame History

CVE-2025-21960

Description

In the Linux kernel, the following vulnerability has been resolved:eth: bnxt: do not update checksum in bnxt_xdp_build_skb()The bnxt_rx_pkt() updates ip_summed value at the end if checksum offloadis enabled.When the XDP-MB program is attached and it returns XDP_PASS, thebnxt_xdp_build_skb() is called to update skb_shared_info.The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info,but it updates ip_summed value too if checksum offload is enabled.This is actually duplicate work.When the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summedis CHECKSUM_NONE or not.It means that ip_summed should be CHECKSUM_NONE at this moment.But ip_summed may already be updated to CHECKSUM_UNNECESSARY in theXDP-MB-PASS path.So the by skb_checksum_none_assert() WARNS about it.This is duplicate work and updating ip_summed in thebnxt_xdp_build_skb() is not needed.Splat looks like:WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]Modules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_]CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27Tainted: [W]=WARNHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021RIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b fRSP: 0018:ffff88881ba09928 EFLAGS: 00010202RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0PKRU: 55555554Call Trace: ? __warn+0xcd/0x2f0 ? bnxt_rx_pkt+0x479b/0x7610 ? report_bug+0x326/0x3c0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? bnxt_rx_pkt+0x479b/0x7610 ? bnxt_rx_pkt+0x3e41/0x7610 ? __pfx_bnxt_rx_pkt+0x10/0x10 ? napi_complete_done+0x2cf/0x7d0 __bnxt_poll_work+0x4e8/0x1220 ? __pfx___bnxt_poll_work+0x10/0x10 ? __pfx_mark_lock.part.0+0x10/0x10 bnxt_poll_p5+0x36a/0xfa0 ? __pfx_bnxt_poll_p5+0x10/0x10 __napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x899/0xd00...Following ping.py patch adds xdp-mb-pass case. so ping.py is goingto be able to reproduce this issue.

POC

Reference

No PoCs from references.

Github