CVE-2025-68301

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: atlantic: fix fragment overflow handling in RX path<br /> <br /> The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)<br /> fragments when handling large multi-descriptor packets. This causes an<br /> out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.<br /> <br /> The issue occurs because the driver doesn&amp;#39;t check the total number of<br /> fragments before calling skb_add_rx_frag(). When a packet requires more<br /> than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.<br /> <br /> Fix by assuming there will be an extra frag if buff-&gt;len &gt; AQ_CFG_RX_HDR_SIZE,<br /> then all fragments are accounted for. And reusing the existing check to<br /> prevent the overflow earlier in the code path.<br /> <br /> This crash occurred in production with an Aquantia AQC113 10G NIC.<br /> <br /> Stack trace from production environment:<br /> ```<br /> RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0<br /> Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89<br /> ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90<br /> c8 00 00 00 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48<br /> 89 fa 83<br /> RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287<br /> RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:<br /> fffffffe0a0c8000<br /> RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:<br /> 0000000000037a40<br /> RBP: 0000000000000024 R08: 0000000000000000 R09:<br /> 0000000000000021<br /> R10: 0000000000000848 R11: 0000000000000000 R12:<br /> ffffa9bec02a8e24<br /> R13: ffff925ad8615570 R14: 0000000000000000 R15:<br /> ffff925b22e80a00<br /> FS: 0000000000000000(0000)<br /> GS:ffff925e47880000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:<br /> 0000000000f72ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> aq_ring_rx_clean+0x175/0xe60 [atlantic]<br /> ? aq_ring_rx_clean+0x14d/0xe60 [atlantic]<br /> ? aq_ring_tx_clean+0xdf/0x190 [atlantic]<br /> ? kmem_cache_free+0x348/0x450<br /> ? aq_vec_poll+0x81/0x1d0 [atlantic]<br /> ? __napi_poll+0x28/0x1c0<br /> ? net_rx_action+0x337/0x420<br /> ```<br /> <br /> Changes in v4:<br /> - Add Fixes: tag to satisfy patch validation requirements.<br /> <br /> Changes in v3:<br /> - Fix by assuming there will be an extra frag if buff-&gt;len &gt; AQ_CFG_RX_HDR_SIZE,<br /> then all fragments are accounted for.