mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
135 lines
7.8 KiB
JSON
135 lines
7.8 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2025-21855",
|
|
"ASSIGNER": "cve@kernel.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Don't reference skb after sending to VIOS\n\nPreviously, after successfully flushing the xmit buffer to VIOS,\nthe tx_bytes stat was incremented by the length of the skb.\n\nIt is invalid to access the skb memory after sending the buffer to\nthe VIOS because, at any point after sending, the VIOS can trigger\nan interrupt to free this memory. A race between reading skb->len\nand freeing the skb is possible (especially during LPM) and will\nresult in use-after-free:\n ==================================================================\n BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n Read of size 4 at addr c00000024eb48a70 by task hxecom/14495\n <...>\n Call Trace:\n [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\n [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\n [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\n [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\n [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\n <...>\n Freed by task 0:\n kasan_save_stack+0x34/0x68\n kasan_save_track+0x2c/0x50\n kasan_save_free_info+0x64/0x108\n __kasan_mempool_poison_object+0x148/0x2d4\n napi_skb_cache_put+0x5c/0x194\n net_tx_action+0x154/0x5b8\n handle_softirqs+0x20c/0x60c\n do_softirq_own_stack+0x6c/0x88\n <...>\n The buggy address belongs to the object at c00000024eb48a00 which\n belongs to the cache skbuff_head_cache of size 224\n=================================================================="
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "n/a"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Linux",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Linux",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "032c5e82847a2214c3196a90f0aeba0ce252de58",
|
|
"version_value": "501ac6a7e21b82e05207c6b4449812d82820f306"
|
|
},
|
|
{
|
|
"version_value": "not down converted",
|
|
"x_cve_json_5_version_data": {
|
|
"versions": [
|
|
{
|
|
"version": "4.5",
|
|
"status": "affected"
|
|
},
|
|
{
|
|
"version": "0",
|
|
"lessThan": "4.5",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.1.130",
|
|
"lessThanOrEqual": "6.1.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.6.80",
|
|
"lessThanOrEqual": "6.6.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.12.17",
|
|
"lessThanOrEqual": "6.12.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.13.5",
|
|
"lessThanOrEqual": "6.13.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.14-rc4",
|
|
"lessThanOrEqual": "*",
|
|
"status": "unaffected",
|
|
"versionType": "original_commit_for_fix"
|
|
}
|
|
],
|
|
"defaultStatus": "affected"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "bippy-5f407fcff5a0"
|
|
}
|
|
} |