admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 17:21:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2025/CVE-2025-218xx/CVE-2025-21865.json
cad-safe-bot e78d3f243b Auto-Update: 2025-03-13T23:00:21.542802+00:00
2025-03-13 23:03:50 +00:00

182 lines
13 KiB
JSON
Raw Blame History

{
"id": "CVE-2025-21865",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-03-12T10:15:19.650",
"lastModified": "2025-03-13T21:13:25.760",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket's netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger ->dellink() twice for the same device during\n->exit_batch_rtnl().\n\nSay we have two netns A & B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n 1. cleanup_net() processes netns A and then B.\n\n 2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns A's gn->gtp_dev_list and calls ->dellink().\n\n [ device B is not yet unlinked from netns B\n as unregister_netdevice_many() has not been called. ]\n\n 3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns B's for_each_netdev() and calls ->dellink().\n\ngtp_dellink() cleans up the device's hash table, unlinks the dev from\ngn->gtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n <TASK>\n [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl\n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gtp: Supresi\u00f3n de la corrupci\u00f3n de listas en gtp_net_exit_batch_rtnl(). Brad Spengler report\u00f3 la corrupci\u00f3n de list_del() en gtp_net_exit_batch_rtnl(). [0] El commit eb28fd76c0a0 (\"gtp: Destruir dispositivo junto con el desmantelamiento de netns del socket UDP\") a\u00f1adi\u00f3 el bucle for_each_netdev() en gtp_net_exit_batch_rtnl() para destruir dispositivos en cada netns, como se hace en los t\u00faneles geneve e IP. Sin embargo, esto podr\u00eda activar -&gt;dellink() dos veces para el mismo dispositivo durante -&gt;exit_batch_rtnl(). Digamos que tenemos dos netns A y B y un dispositivo gtp B que reside en netns B pero cuyo socket UDP est\u00e1 en netns A. 1. cleanup_net() procesa netns A y luego B. 2. gtp_net_exit_batch_rtnl() encuentra el dispositivo B mientras itera gn-&gt;gtp_dev_list de netns A y llama a -&gt;dellink(). [el dispositivo B a\u00fan no est\u00e1 desvinculado de netns B ya que no se ha llamado a unregister_netdevice_many().] 3. gtp_net_exit_batch_rtnl() encuentra el dispositivo B mientras itera for_each_netdev() de netns B y llama a -&gt;dellink(). gtp_dellink() limpia la tabla hash del dispositivo, desvincula el dev de gn-&gt;gtp_dev_list y llama a unregister_netdevice_queue(). B\u00e1sicamente, llamar a gtp_dellink() varias veces no tiene problema a menos que CONFIG_DEBUG_LIST est\u00e9 habilitado. Eliminemos for_each_netdev() en gtp_net_exit_batch_rtnl() y deleguemos la destrucci\u00f3n a default_device_exit_batch() como se hace en bareudp. [0]: corrupci\u00f3n en list_del, ffff8880aaa62c00-&gt;next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc &lt;0f&gt; 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: [] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [] list_del include/linux/list.h:262 [inl ---truncado---"
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-787"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.127",
"versionEndExcluding": "6.1.130",
"matchCriteriaId": "F5DAF95A-8A69-4B14-B6B1-D69D7B0E67ED"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.74",
"versionEndExcluding": "6.6.80",
"matchCriteriaId": "8E39A81F-E53D-411A-A984-01020256DBCF"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.11",
"versionEndExcluding": "6.12.17",
"matchCriteriaId": "A1046E13-7BCA-4984-A2A5-A636C37F89CB"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13",
"versionEndExcluding": "6.13.5",
"matchCriteriaId": "72E69ABB-9015-43A6-87E1-5150383CFFD9"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:5.4.290:*:*:*:*:*:*:*",
"matchCriteriaId": "545EEEA7-D108-42AD-A818-71A0944937FF"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:5.10.234:*:*:*:*:*:*:*",
"matchCriteriaId": "35D3F462-C339-41FE-9892-249F8F17987E"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:5.15.177:*:*:*:*:*:*:*",
"matchCriteriaId": "BE9C4B84-1FEC-4D82-AC35-E594761500D0"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*",
"matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink