CVE-2025-38185
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
04/07/2025
Última modificación:
04/07/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
atm: atmtcp: Free invalid length skb in atmtcp_c_send().<br />
<br />
syzbot reported the splat below. [0]<br />
<br />
vcc_sendmsg() copies data passed from userspace to skb and passes<br />
it to vcc->dev->ops->send().<br />
<br />
atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after<br />
checking if skb->len is 0, but it&#39;s not enough.<br />
<br />
Also, when skb->len == 0, skb and sk (vcc) were leaked because<br />
dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing<br />
to revert atm_account_tx() in vcc_sendmsg(), which is expected<br />
to be done in atm_pop_raw().<br />
<br />
Let&#39;s properly free skb with an invalid length in atmtcp_c_send().<br />
<br />
[0]:<br />
BUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294<br />
atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294<br />
vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644<br />
sock_sendmsg_nosec net/socket.c:712 [inline]<br />
__sock_sendmsg+0x330/0x3d0 net/socket.c:727<br />
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566<br />
___sys_sendmsg+0x271/0x3b0 net/socket.c:2620<br />
__sys_sendmsg net/socket.c:2652 [inline]<br />
__do_sys_sendmsg net/socket.c:2657 [inline]<br />
__se_sys_sendmsg net/socket.c:2655 [inline]<br />
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655<br />
x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook mm/slub.c:4154 [inline]<br />
slab_alloc_node mm/slub.c:4197 [inline]<br />
kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249<br />
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579<br />
__alloc_skb+0x347/0x7d0 net/core/skbuff.c:670<br />
alloc_skb include/linux/skbuff.h:1336 [inline]<br />
vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628<br />
sock_sendmsg_nosec net/socket.c:712 [inline]<br />
__sock_sendmsg+0x330/0x3d0 net/socket.c:727<br />
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566<br />
___sys_sendmsg+0x271/0x3b0 net/socket.c:2620<br />
__sys_sendmsg net/socket.c:2652 [inline]<br />
__do_sys_sendmsg net/socket.c:2657 [inline]<br />
__se_sys_sendmsg net/socket.c:2655 [inline]<br />
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655<br />
x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
CPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/1b0ad18704913c92a3ad53748fbc0f219a75b876
- https://git.kernel.org/stable/c/2f370ae1fb6317985f3497b1bb80d457508ca2f7
- https://git.kernel.org/stable/c/3261c017a7c5d2815c6a388c5a3280d1fba0e8db
- https://git.kernel.org/stable/c/a4b0fd8c25a7583f8564af6cc910418fb8954e89
- https://git.kernel.org/stable/c/c19c0943424b412a84fdf178e6c71fe5480e4f0f
- https://git.kernel.org/stable/c/c9260c837de1d2b454960a4a2e44a81272fbcd22
- https://git.kernel.org/stable/c/ca00f0e6d733ecd9150716d1fd0138d26e674706
- https://git.kernel.org/stable/c/e996507f59610e5752b8702537f13f551e7a2c96