Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-23163

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2025
Last modified:
05/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: vlan: don&amp;#39;t propagate flags on open<br /> <br /> With the device instance lock, there is now a possibility of a deadlock:<br /> <br /> [ 1.211455] ============================================<br /> [ 1.211571] WARNING: possible recursive locking detected<br /> [ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted<br /> [ 1.211823] --------------------------------------------<br /> [ 1.211936] ip/184 is trying to acquire lock:<br /> [ 1.212032] ffff8881024a4c30 (&amp;dev-&gt;lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0<br /> [ 1.212207]<br /> [ 1.212207] but task is already holding lock:<br /> [ 1.212332] ffff8881024a4c30 (&amp;dev-&gt;lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0<br /> [ 1.212487]<br /> [ 1.212487] other info that might help us debug this:<br /> [ 1.212626] Possible unsafe locking scenario:<br /> [ 1.212626]<br /> [ 1.212751] CPU0<br /> [ 1.212815] ----<br /> [ 1.212871] lock(&amp;dev-&gt;lock);<br /> [ 1.212944] lock(&amp;dev-&gt;lock);<br /> [ 1.213016]<br /> [ 1.213016] *** DEADLOCK ***<br /> [ 1.213016]<br /> [ 1.213143] May be due to missing lock nesting notation<br /> [ 1.213143]<br /> [ 1.213294] 3 locks held by ip/184:<br /> [ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0<br /> [ 1.213543] #1: ffffffff84e5fc70 (&amp;net-&gt;rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0<br /> [ 1.213727] #2: ffff8881024a4c30 (&amp;dev-&gt;lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0<br /> [ 1.213895]<br /> [ 1.213895] stack backtrace:<br /> [ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5<br /> [ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014<br /> [ 1.213994] Call Trace:<br /> [ 1.213995] <br /> [ 1.213996] dump_stack_lvl+0x8e/0xd0<br /> [ 1.214000] print_deadlock_bug+0x28b/0x2a0<br /> [ 1.214020] lock_acquire+0xea/0x2a0<br /> [ 1.214027] __mutex_lock+0xbf/0xd40<br /> [ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev-&gt;flags &amp; IFF_ALLMULTI<br /> [ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev<br /> [ 1.214042] __dev_open+0x145/0x270<br /> [ 1.214046] __dev_change_flags+0xb0/0x1e0<br /> [ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev<br /> [ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev-&gt;vlan_info<br /> [ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0<br /> [ 1.214058] notifier_call_chain+0x78/0x120<br /> [ 1.214062] netif_open+0x6d/0x90<br /> [ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0<br /> [ 1.214066] bond_enslave+0x64c/0x1230<br /> [ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0<br /> [ 1.214077] do_setlink+0x516/0x13b0<br /> [ 1.214094] rtnl_newlink+0xaba/0xb80<br /> [ 1.214132] rtnetlink_rcv_msg+0x440/0x490<br /> [ 1.214144] netlink_rcv_skb+0xeb/0x120<br /> [ 1.214150] netlink_unicast+0x1f9/0x320<br /> [ 1.214153] netlink_sendmsg+0x346/0x3f0<br /> [ 1.214157] __sock_sendmsg+0x86/0xb0<br /> [ 1.214160] ____sys_sendmsg+0x1c8/0x220<br /> [ 1.214164] ___sys_sendmsg+0x28f/0x2d0<br /> [ 1.214179] __x64_sys_sendmsg+0xef/0x140<br /> [ 1.214184] do_syscall_64+0xec/0x1d0<br /> [ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 1.214191] RIP: 0033:0x7f2d1b4a7e56<br /> <br /> Device setup:<br /> <br /> netdevsim0 (down)<br /> ^ ^<br /> bond netdevsim1.100@netdevsim1 allmulticast=on (down)<br /> <br /> When we enslave the lower device (netdevsim0) which has a vlan, we<br /> propagate vlan&amp;#39;s allmuti/promisc flags during ndo_open. This causes<br /> (re)locking on of the real_dev.<br /> <br /> Propagate allmulti/promisc on flags change, not on the open. There<br /> is a slight semantics change that vlans that are down now propagate<br /> the flags, but this seems unlikely to result in the real issues.<br /> <br /> Reproducer:<br /> <br /> echo 0 1 &gt; /sys/bus/netdevsim/new_device<br /> <br /> dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*)<br /> dev=$(echo $dev_path | rev | cut -d/ -f1 | rev)<br /> <br /> ip link set dev $dev name netdevsim0<br /> ip link set dev netdevsim0 up<br /> <br /> ip link add link netdevsim0 name netdevsim0.100 type vlan id 100<br /> ip link set dev netdevsim0.100 allm<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4.293 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.237 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.181 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.135 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.88 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.24 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.12 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.3 (excluding)
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools