CVE-2025-40254

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: openvswitch: remove never-working support for setting nsh fields<br /> <br /> The validation of the set(nsh(...)) action is completely wrong.<br /> It runs through the nsh_key_put_from_nlattr() function that is the<br /> same function that validates NSH keys for the flow match and the<br /> push_nsh() action. However, the set(nsh(...)) has a very different<br /> memory layout. Nested attributes in there are doubled in size in<br /> case of the masked set(). That makes proper validation impossible.<br /> <br /> There is also confusion in the code between the &amp;#39;masked&amp;#39; flag, that<br /> says that the nested attributes are doubled in size containing both<br /> the value and the mask, and the &amp;#39;is_mask&amp;#39; that says that the value<br /> we&amp;#39;re parsing is the mask. This is causing kernel crash on trying to<br /> write into mask part of the match with SW_FLOW_KEY_PUT() during<br /> validation, while validate_nsh() doesn&amp;#39;t allocate any memory for it:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000018<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)<br /> RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]<br /> Call Trace:<br /> <br /> validate_nsh+0x60/0x90 [openvswitch]<br /> validate_set.constprop.0+0x270/0x3c0 [openvswitch]<br /> __ovs_nla_copy_actions+0x477/0x860 [openvswitch]<br /> ovs_nla_copy_actions+0x8d/0x100 [openvswitch]<br /> ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]<br /> genl_family_rcv_msg_doit+0xdb/0x130<br /> genl_family_rcv_msg+0x14b/0x220<br /> genl_rcv_msg+0x47/0xa0<br /> netlink_rcv_skb+0x53/0x100<br /> genl_rcv+0x24/0x40<br /> netlink_unicast+0x280/0x3b0<br /> netlink_sendmsg+0x1f7/0x430<br /> ____sys_sendmsg+0x36b/0x3a0<br /> ___sys_sendmsg+0x87/0xd0<br /> __sys_sendmsg+0x6d/0xd0<br /> do_syscall_64+0x7b/0x2c0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The third issue with this process is that while trying to convert<br /> the non-masked set into masked one, validate_set() copies and doubles<br /> the size of the OVS_KEY_ATTR_NSH as if it didn&amp;#39;t have any nested<br /> attributes. It should be copying each nested attribute and doubling<br /> them in size independently. And the process must be properly reversed<br /> during the conversion back from masked to a non-masked variant during<br /> the flow dump.<br /> <br /> In the end, the only two outcomes of trying to use this action are<br /> either validation failure or a kernel crash. And if somehow someone<br /> manages to install a flow with such an action, it will most definitely<br /> not do what it is supposed to, since all the keys and the masks are<br /> mixed up.<br /> <br /> Fixing all the issues is a complex task as it requires re-writing<br /> most of the validation code.<br /> <br /> Given that and the fact that this functionality never worked since<br /> introduction, let&amp;#39;s just remove it altogether. It&amp;#39;s better to<br /> re-introduce it later with a proper implementation instead of trying<br /> to fix it in stable releases.