CVE-2025-38566

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sunrpc: fix handling of server side tls alerts<br /> <br /> Scott Mayhew discovered a security exploit in NFS over TLS in<br /> tls_alert_recv() due to its assumption it can read data from<br /> the msg iterator&amp;#39;s kvec..<br /> <br /> kTLS implementation splits TLS non-data record payload between<br /> the control message buffer (which includes the type such as TLS<br /> aler or TLS cipher change) and the rest of the payload (say TLS<br /> alert&amp;#39;s level/description) which goes into the msg payload buffer.<br /> <br /> This patch proposes to rework how control messages are setup and<br /> used by sock_recvmsg().<br /> <br /> If no control message structure is setup, kTLS layer will read and<br /> process TLS data record types. As soon as it encounters a TLS control<br /> message, it would return an error. At that point, NFS can setup a<br /> kvec backed msg buffer and read in the control message such as a<br /> TLS alert. Msg iterator can advance the kvec pointer as a part of<br /> the copy process thus we need to revert the iterator before calling<br /> into the tls_alert_recv.