CVE-2025-21865
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
12/03/2025
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().<br />
<br />
Brad Spengler reported the list_del() corruption splat in<br />
gtp_net_exit_batch_rtnl(). [0]<br />
<br />
Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket&#39;s netns<br />
dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()<br />
to destroy devices in each netns as done in geneve and ip tunnels.<br />
<br />
However, this could trigger ->dellink() twice for the same device during<br />
->exit_batch_rtnl().<br />
<br />
Say we have two netns A & B and gtp device B that resides in netns B but<br />
whose UDP socket is in netns A.<br />
<br />
1. cleanup_net() processes netns A and then B.<br />
<br />
2. gtp_net_exit_batch_rtnl() finds the device B while iterating<br />
netns A&#39;s gn->gtp_dev_list and calls ->dellink().<br />
<br />
[ device B is not yet unlinked from netns B<br />
as unregister_netdevice_many() has not been called. ]<br />
<br />
3. gtp_net_exit_batch_rtnl() finds the device B while iterating<br />
netns B&#39;s for_each_netdev() and calls ->dellink().<br />
<br />
gtp_dellink() cleans up the device&#39;s hash table, unlinks the dev from<br />
gn->gtp_dev_list, and calls unregister_netdevice_queue().<br />
<br />
Basically, calling gtp_dellink() multiple times is fine unless<br />
CONFIG_DEBUG_LIST is enabled.<br />
<br />
Let&#39;s remove for_each_netdev() in gtp_net_exit_batch_rtnl() and<br />
delegate the destruction to default_device_exit_batch() as done<br />
in bareudp.<br />
<br />
[0]:<br />
list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)<br />
kernel BUG at lib/list_debug.c:58!<br />
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN<br />
CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1<br />
Tainted: [T]=RANDSTRUCT<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
Workqueue: netns cleanup_net<br />
RIP: 0010:[] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58<br />
Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60<br />
RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283<br />
RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054<br />
RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000<br />
RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32<br />
R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4<br />
R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08<br />
RBX: kasan shadow of 0x0<br />
RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554<br />
RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58<br />
RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71<br />
RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]<br />
RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]<br />
R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]<br />
R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]<br />
R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]<br />
FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0<br />
Stack:<br />
0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00<br />
ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005<br />
0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d<br />
Call Trace:<br />
<br />
[] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28<br />
[] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28<br />
[] list_del include/linux/list.h:262 [inl<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.127 (including) | 6.1.130 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.74 (including) | 6.6.80 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.12.11 (including) | 6.12.17 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.4.290:*:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.10.234:*:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15.177:*:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22
- https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af
- https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d
- https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc
- https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b
- https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66
- https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657
- https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html