CVE-2025-21707
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
13/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mptcp: consolidate suboption status<br />
<br />
MPTCP maintains the received sub-options status is the bitmask carrying<br />
the received suboptions and in several bitfields carrying per suboption<br />
additional info.<br />
<br />
Zeroing the bitmask before parsing is not enough to ensure a consistent<br />
status, and the MPTCP code has to additionally clear some bitfiled<br />
depending on the actually parsed suboption.<br />
<br />
The above schema is fragile, and syzbot managed to trigger a path where<br />
a relevant bitfield is not cleared/initialized:<br />
<br />
BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline]<br />
BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline]<br />
BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline]<br />
BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209<br />
__mptcp_expand_seq net/mptcp/options.c:1030 [inline]<br />
mptcp_expand_seq net/mptcp/protocol.h:864 [inline]<br />
ack_update_msk net/mptcp/options.c:1060 [inline]<br />
mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209<br />
tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233<br />
tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264<br />
tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916<br />
tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351<br />
ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205<br />
ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233<br />
NF_HOOK include/linux/netfilter.h:314 [inline]<br />
ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254<br />
dst_input include/net/dst.h:460 [inline]<br />
ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447<br />
NF_HOOK include/linux/netfilter.h:314 [inline]<br />
ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567<br />
__netif_receive_skb_one_core net/core/dev.c:5704 [inline]<br />
__netif_receive_skb+0x319/0xa00 net/core/dev.c:5817<br />
process_backlog+0x4ad/0xa50 net/core/dev.c:6149<br />
__napi_poll+0xe7/0x980 net/core/dev.c:6902<br />
napi_poll net/core/dev.c:6971 [inline]<br />
net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093<br />
handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561<br />
__do_softirq+0x14/0x1a kernel/softirq.c:595<br />
do_softirq+0x9a/0x100 kernel/softirq.c:462<br />
__local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389<br />
local_bh_enable include/linux/bottom_half.h:33 [inline]<br />
rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]<br />
__dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493<br />
dev_queue_xmit include/linux/netdevice.h:3168 [inline]<br />
neigh_hh_output include/net/neighbour.h:523 [inline]<br />
neigh_output include/net/neighbour.h:537 [inline]<br />
ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236<br />
__ip_finish_output+0x287/0x810<br />
ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324<br />
NF_HOOK_COND include/linux/netfilter.h:303 [inline]<br />
ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434<br />
dst_output include/net/dst.h:450 [inline]<br />
ip_local_out net/ipv4/ip_output.c:130 [inline]<br />
__ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536<br />
ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550<br />
__tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468<br />
tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline]<br />
tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829<br />
__tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012<br />
tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618<br />
__tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130<br />
__mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496<br />
mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550<br />
mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889<br />
mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline]<br />
mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline]<br />
mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline]<br />
mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750<br />
genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]<br />
<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 6.1.129 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.76 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3a7fda57b0f91f7ea34476b165f91a92feb17c96
- https://git.kernel.org/stable/c/3b5332d416d151a15742d1b16e7319368e3cc5c6
- https://git.kernel.org/stable/c/6169e942370b4b6f9442d35c51519bf6c346843b
- https://git.kernel.org/stable/c/7f6c72b8ef8130760710e337dc8fbe7263954884
- https://git.kernel.org/stable/c/ba0518f9e8688cd4fcb569e8df2a74874b4f3894
- https://git.kernel.org/stable/c/c86b000782daba926c627d2fa00c3f60a75e7472