CVE-2025-39917

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt<br /> <br /> Stanislav reported that in bpf_crypto_crypt() the destination dynptr&amp;#39;s<br /> size is not validated to be at least as large as the source dynptr&amp;#39;s<br /> size before calling into the crypto backend with &amp;#39;len = src_len&amp;#39;. This<br /> can result in an OOB write when the destination is smaller than the<br /> source.<br /> <br /> Concretely, in mentioned function, psrc and pdst are both linear<br /> buffers fetched from each dynptr:<br /> <br /> psrc = __bpf_dynptr_data(src, src_len);<br /> [...]<br /> pdst = __bpf_dynptr_data_rw(dst, dst_len);<br /> [...]<br /> err = decrypt ?<br /> ctx-&gt;type-&gt;decrypt(ctx-&gt;tfm, psrc, pdst, src_len, piv) :<br /> ctx-&gt;type-&gt;encrypt(ctx-&gt;tfm, psrc, pdst, src_len, piv);<br /> <br /> The crypto backend expects pdst to be large enough with a src_len length<br /> that can be written. Add an additional src_len &gt; dst_len check and bail<br /> out if it&amp;#39;s the case. Note that these kfuncs are accessible under root<br /> privileges only.