CVE-2025-40281

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto<br /> <br /> syzbot reported a possible shift-out-of-bounds [1]<br /> <br /> Blamed commit added rto_alpha_max and rto_beta_max set to 1000.<br /> <br /> It is unclear if some sctp users are setting very large rto_alpha<br /> and/or rto_beta.<br /> <br /> In order to prevent user regression, perform the test at run time.<br /> <br /> Also add READ_ONCE() annotations as sysctl values can change under us.<br /> <br /> [1]<br /> <br /> UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41<br /> shift exponent 64 is too large for 32-bit type &amp;#39;unsigned int&amp;#39;<br /> CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120<br /> ubsan_epilogue lib/ubsan.c:233 [inline]<br /> __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494<br /> sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509<br /> sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502<br /> sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338<br /> sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]<br /> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]