CVE-2025-38089

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sunrpc: handle SVC_GARBAGE during svc auth processing as auth error<br /> <br /> tianshuo han reported a remotely-triggerable crash if the client sends a<br /> kernel RPC server a specially crafted packet. If decoding the RPC reply<br /> fails in such a way that SVC_GARBAGE is returned without setting the<br /> rq_accept_statp pointer, then that pointer can be dereferenced and a<br /> value stored there.<br /> <br /> If it&amp;#39;s the first time the thread has processed an RPC, then that<br /> pointer will be set to NULL and the kernel will crash. In other cases,<br /> it could create a memory scribble.<br /> <br /> The server sunrpc code treats a SVC_GARBAGE return from svc_authenticate<br /> or pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531<br /> says that if authentication fails that the RPC should be rejected<br /> instead with a status of AUTH_ERR.<br /> <br /> Handle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of<br /> AUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This<br /> sidesteps the whole problem of touching the rpc_accept_statp pointer in<br /> this situation and avoids the crash.