CVE-2025-38224
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
04/07/2025
Última modificación:
04/07/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
can: kvaser_pciefd: refine error prone echo_skb_max handling logic<br />
<br />
echo_skb_max should define the supported upper limit of echo_skb[]<br />
allocated inside the netdevice&#39;s priv. The corresponding size value<br />
provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT<br />
which is 17.<br />
<br />
But later echo_skb_max is rounded up to the nearest power of two (for the<br />
max case, that would be 32) and the tx/ack indices calculated further<br />
during tx/rx may exceed the upper array boundary. Kasan reported this for<br />
the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit<br />
function has actually caught the same thing earlier.<br />
<br />
BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528<br />
Read of size 8 at addr ffff888105e4f078 by task swapper/4/0<br />
<br />
CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary)<br />
Call Trace:<br />
<br />
dump_stack_lvl lib/dump_stack.c:122<br />
print_report mm/kasan/report.c:521<br />
kasan_report mm/kasan/report.c:634<br />
kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528<br />
kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605<br />
kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656<br />
kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684<br />
kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733<br />
__handle_irq_event_percpu kernel/irq/handle.c:158<br />
handle_irq_event kernel/irq/handle.c:210<br />
handle_edge_irq kernel/irq/chip.c:833<br />
__common_interrupt arch/x86/kernel/irq.c:296<br />
common_interrupt arch/x86/kernel/irq.c:286<br />
<br />
<br />
Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq<br />
numbers&#39; generation that&#39;s not the case - we&#39;re free to calculate them as<br />
would be more convenient, not taking tx max count into account. The only<br />
downside is that the size of echo_skb[] should correspond to the max seq<br />
number (not tx max count), so in some situations a bit more memory would<br />
be consumed than could be.<br />
<br />
Thus make the size of the underlying echo_skb[] sufficient for the rounded<br />
max tx value.<br />
<br />
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.