CVE-2025-39850

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects<br /> <br /> When the "proxy" option is enabled on a VXLAN device, the device will<br /> suppress ARP requests and IPv6 Neighbor Solicitation messages if it is<br /> able to reply on behalf of the remote host. That is, if a matching and<br /> valid neighbor entry is configured on the VXLAN device whose MAC address<br /> is not behind the "any" remote (0.0.0.0 / ::).<br /> <br /> The code currently assumes that the FDB entry for the neighbor&amp;#39;s MAC<br /> address points to a valid remote destination, but this is incorrect if<br /> the entry is associated with an FDB nexthop group. This can result in a<br /> NPD [1][3] which can be reproduced using [2][4].<br /> <br /> Fix by checking that the remote destination exists before dereferencing<br /> it.<br /> <br /> [1]<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [...]<br /> CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014<br /> RIP: 0010:vxlan_xmit+0xb58/0x15f0<br /> [...]<br /> Call Trace:<br /> <br /> dev_hard_start_xmit+0x5d/0x1c0<br /> __dev_queue_xmit+0x246/0xfd0<br /> packet_sendmsg+0x113a/0x1850<br /> __sock_sendmsg+0x38/0x70<br /> __sys_sendto+0x126/0x180<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0xa4/0x260<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> [2]<br /> #!/bin/bash<br /> <br /> ip address add 192.0.2.1/32 dev lo<br /> <br /> ip nexthop add id 1 via 192.0.2.2 fdb<br /> ip nexthop add id 10 group 1 fdb<br /> <br /> ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy<br /> <br /> ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0<br /> <br /> bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10<br /> <br /> arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3<br /> <br /> [3]<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [...]<br /> CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014<br /> RIP: 0010:vxlan_xmit+0x803/0x1600<br /> [...]<br /> Call Trace:<br /> <br /> dev_hard_start_xmit+0x5d/0x1c0<br /> __dev_queue_xmit+0x246/0xfd0<br /> ip6_finish_output2+0x210/0x6c0<br /> ip6_finish_output+0x1af/0x2b0<br /> ip6_mr_output+0x92/0x3e0<br /> ip6_send_skb+0x30/0x90<br /> rawv6_sendmsg+0xe6e/0x12e0<br /> __sock_sendmsg+0x38/0x70<br /> __sys_sendto+0x126/0x180<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0xa4/0x260<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7f383422ec77<br /> <br /> [4]<br /> #!/bin/bash<br /> <br /> ip address add 2001:db8:1::1/128 dev lo<br /> <br /> ip nexthop add id 1 via 2001:db8:1::1 fdb<br /> ip nexthop add id 10 group 1 fdb<br /> <br /> ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy<br /> <br /> ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0<br /> <br /> bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10<br /> <br /> ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0