CVE-2025-21922

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ppp: Fix KMSAN uninit-value warning with bpf<br /> <br /> Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the<br /> ppp driver not initializing a 2-byte header when using socket filter.<br /> <br /> The following code can generate a PPP filter BPF program:<br /> &amp;#39;&amp;#39;&amp;#39;<br /> struct bpf_program fp;<br /> pcap_t *handle;<br /> handle = pcap_open_dead(DLT_PPP_PPPD, 65535);<br /> pcap_compile(handle, &amp;fp, "ip and outbound", 0, 0);<br /> bpf_dump(&amp;fp, 1);<br /> &amp;#39;&amp;#39;&amp;#39;<br /> Its output is:<br /> &amp;#39;&amp;#39;&amp;#39;<br /> (000) ldh [2]<br /> (001) jeq #0x21 jt 2 jf 5<br /> (002) ldb [0]<br /> (003) jeq #0x1 jt 4 jf 5<br /> (004) ret #65535<br /> (005) ret #0<br /> &amp;#39;&amp;#39;&amp;#39;<br /> Wen can find similar code at the following link:<br /> https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680<br /> The maintainer of this code repository is also the original maintainer<br /> of the ppp driver.<br /> <br /> As you can see the BPF program skips 2 bytes of data and then reads the<br /> &amp;#39;Protocol&amp;#39; field to determine if it&amp;#39;s an IP packet. Then it read the first<br /> byte of the first 2 bytes to determine the direction.<br /> <br /> The issue is that only the first byte indicating direction is initialized<br /> in current ppp driver code while the second byte is not initialized.<br /> <br /> For normal BPF programs generated by libpcap, uninitialized data won&amp;#39;t be<br /> used, so it&amp;#39;s not a problem. However, for carefully crafted BPF programs,<br /> such as those generated by syzkaller [2], which start reading from offset<br /> 0, the uninitialized data will be used and caught by KMSAN.<br /> <br /> [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791<br /> [2] https://syzkaller.appspot.com/text?tag=ReproC&amp;x=11994913980000