CVE-2025-22055

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix geneve_opt length integer overflow<br /> <br /> struct geneve_opt uses 5 bit length for each single option, which<br /> means every vary size option should be smaller than 128 bytes.<br /> <br /> However, all current related Netlink policies cannot promise this<br /> length condition and the attacker can exploit a exact 128-byte size<br /> option to *fake* a zero length option and confuse the parsing logic,<br /> further achieve heap out-of-bounds read.<br /> <br /> One example crash log is like below:<br /> <br /> [ 3.905425] ==================================================================<br /> [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0<br /> [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177<br /> [ 3.906646]<br /> [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1<br /> [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> [ 3.907784] Call Trace:<br /> [ 3.907925] <br /> [ 3.908048] dump_stack_lvl+0x44/0x5c<br /> [ 3.908258] print_report+0x184/0x4be<br /> [ 3.909151] kasan_report+0xc5/0x100<br /> [ 3.909539] kasan_check_range+0xf3/0x1a0<br /> [ 3.909794] memcpy+0x1f/0x60<br /> [ 3.909968] nla_put+0xa9/0xe0<br /> [ 3.910147] tunnel_key_dump+0x945/0xba0<br /> [ 3.911536] tcf_action_dump_1+0x1c1/0x340<br /> [ 3.912436] tcf_action_dump+0x101/0x180<br /> [ 3.912689] tcf_exts_dump+0x164/0x1e0<br /> [ 3.912905] fw_dump+0x18b/0x2d0<br /> [ 3.913483] tcf_fill_node+0x2ee/0x460<br /> [ 3.914778] tfilter_notify+0xf4/0x180<br /> [ 3.915208] tc_new_tfilter+0xd51/0x10d0<br /> [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560<br /> [ 3.919118] netlink_rcv_skb+0xcd/0x200<br /> [ 3.919787] netlink_unicast+0x395/0x530<br /> [ 3.921032] netlink_sendmsg+0x3d0/0x6d0<br /> [ 3.921987] __sock_sendmsg+0x99/0xa0<br /> [ 3.922220] __sys_sendto+0x1b7/0x240<br /> [ 3.922682] __x64_sys_sendto+0x72/0x90<br /> [ 3.922906] do_syscall_64+0x5e/0x90<br /> [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> [ 3.924122] RIP: 0033:0x7e83eab84407<br /> [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf<br /> [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c<br /> [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407<br /> [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003<br /> [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c<br /> [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0<br /> [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8<br /> <br /> Fix these issues by enforing correct length condition in related<br /> policies.