CVE-2025-68785

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: openvswitch: fix middle attribute validation in push_nsh() action<br /> <br /> The push_nsh() action structure looks like this:<br /> <br /> OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))<br /> <br /> The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK&amp;#39;ed by the<br /> nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost<br /> OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK&amp;#39;ed by the nla_for_each_nested()<br /> inside nsh_key_put_from_nlattr(). But nothing checks if the attribute<br /> in the middle is OK. We don&amp;#39;t even check that this attribute is the<br /> OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()<br /> calls - first time directly while calling validate_push_nsh() and the<br /> second time as part of the nla_for_each_nested() macro, which isn&amp;#39;t<br /> safe, potentially causing invalid memory access if the size of this<br /> attribute is incorrect. The failure may not be noticed during<br /> validation due to larger netlink buffer, but cause trouble later during<br /> action execution where the buffer is allocated exactly to the size:<br /> <br /> BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]<br /> Read of size 184 at addr ffff88816459a634 by task a.out/22624<br /> <br /> CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x51/0x70<br /> print_address_description.constprop.0+0x2c/0x390<br /> kasan_report+0xdd/0x110<br /> kasan_check_range+0x35/0x1b0<br /> __asan_memcpy+0x20/0x60<br /> nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]<br /> push_nsh+0x82/0x120 [openvswitch]<br /> do_execute_actions+0x1405/0x2840 [openvswitch]<br /> ovs_execute_actions+0xd5/0x3b0 [openvswitch]<br /> ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]<br /> genl_family_rcv_msg_doit+0x1d6/0x2b0<br /> genl_family_rcv_msg+0x336/0x580<br /> genl_rcv_msg+0x9f/0x130<br /> netlink_rcv_skb+0x11f/0x370<br /> genl_rcv+0x24/0x40<br /> netlink_unicast+0x73e/0xaa0<br /> netlink_sendmsg+0x744/0xbf0<br /> __sys_sendto+0x3d6/0x450<br /> do_syscall_64+0x79/0x2c0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> <br /> Let&amp;#39;s add some checks that the attribute is properly sized and it&amp;#39;s<br /> the only one attribute inside the action. Technically, there is no<br /> real reason for OVS_KEY_ATTR_NSH to be there, as we know that we&amp;#39;re<br /> pushing an NSH header already, it just creates extra nesting, but<br /> that&amp;#39;s how uAPI works today. So, keeping as it is.