CVE-2025-71128

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erspan: Initialize options_len before referencing options.<br /> <br /> The struct ip_tunnel_info has a flexible array member named<br /> options that is protected by a counted_by(options_len)<br /> attribute.<br /> <br /> The compiler will use this information to enforce runtime bounds<br /> checking deployed by FORTIFY_SOURCE string helpers.<br /> <br /> As laid out in the GCC documentation, the counter must be<br /> initialized before the first reference to the flexible array<br /> member.<br /> <br /> After scanning through the files that use struct ip_tunnel_info<br /> and also refer to options or options_len, it appears the normal<br /> case is to use the ip_tunnel_info_opts_set() helper.<br /> <br /> Said helper would initialize options_len properly before copying<br /> data into options, however in the GRE ERSPAN code a partial<br /> update is done, preventing the use of the helper function.<br /> <br /> Before this change the handling of ERSPAN traffic in GRE tunnels<br /> would cause a kernel panic when the kernel is compiled with<br /> GCC 15+ and having FORTIFY_SOURCE configured:<br /> <br /> memcpy: detected buffer overflow: 4 byte write of buffer size 0<br /> <br /> Call Trace:<br /> <br /> __fortify_panic+0xd/0xf<br /> erspan_rcv.cold+0x68/0x83<br /> ? ip_route_input_slow+0x816/0x9d0<br /> gre_rcv+0x1b2/0x1c0<br /> gre_rcv+0x8e/0x100<br /> ? raw_v4_input+0x2a0/0x2b0<br /> ip_protocol_deliver_rcu+0x1ea/0x210<br /> ip_local_deliver_finish+0x86/0x110<br /> ip_local_deliver+0x65/0x110<br /> ? ip_rcv_finish_core+0xd6/0x360<br /> ip_rcv+0x186/0x1a0<br /> <br /> Reported-at: https://launchpad.net/bugs/2129580