CVE-2025-38224

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: kvaser_pciefd: refine error prone echo_skb_max handling logic<br /> <br /> echo_skb_max should define the supported upper limit of echo_skb[]<br /> allocated inside the netdevice&amp;#39;s priv. The corresponding size value<br /> provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT<br /> which is 17.<br /> <br /> But later echo_skb_max is rounded up to the nearest power of two (for the<br /> max case, that would be 32) and the tx/ack indices calculated further<br /> during tx/rx may exceed the upper array boundary. Kasan reported this for<br /> the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit<br /> function has actually caught the same thing earlier.<br /> <br /> BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528<br /> Read of size 8 at addr ffff888105e4f078 by task swapper/4/0<br /> <br /> CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary)<br /> Call Trace:<br /> <br /> dump_stack_lvl lib/dump_stack.c:122<br /> print_report mm/kasan/report.c:521<br /> kasan_report mm/kasan/report.c:634<br /> kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528<br /> kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605<br /> kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656<br /> kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684<br /> kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733<br /> __handle_irq_event_percpu kernel/irq/handle.c:158<br /> handle_irq_event kernel/irq/handle.c:210<br /> handle_edge_irq kernel/irq/chip.c:833<br /> __common_interrupt arch/x86/kernel/irq.c:296<br /> common_interrupt arch/x86/kernel/irq.c:286<br /> <br /> <br /> Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq<br /> numbers&amp;#39; generation that&amp;#39;s not the case - we&amp;#39;re free to calculate them as<br /> would be more convenient, not taking tx max count into account. The only<br /> downside is that the size of echo_skb[] should correspond to the max seq<br /> number (not tx max count), so in some situations a bit more memory would<br /> be consumed than could be.<br /> <br /> Thus make the size of the underlying echo_skb[] sufficient for the rounded<br /> max tx value.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.