cve-2025-21719
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-03-24 15:39
Severity ?
EPSS score ?
0.07% (0.22615)
Summary
In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/53df27fd38f84bd3cd6b004eb4ff3c4903114f1d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/547ef7e8cbb98f966c8719a3e15d4e078aaa9b47
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62
Impacted products
Vendor Product Version
Linux Linux Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
 Create a notification for this product.
   Linux Linux Version: 4.20
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Linux",
               programFiles: [
                  "net/ipv4/ipmr_base.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     lessThan: "71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1",
                     status: "affected",
                     version: "cb167893f41e21e6bd283d78e53489289dc0592d",
                     versionType: "git",
                  },
                  {
                     lessThan: "53df27fd38f84bd3cd6b004eb4ff3c4903114f1d",
                     status: "affected",
                     version: "cb167893f41e21e6bd283d78e53489289dc0592d",
                     versionType: "git",
                  },
                  {
                     lessThan: "547ef7e8cbb98f966c8719a3e15d4e078aaa9b47",
                     status: "affected",
                     version: "cb167893f41e21e6bd283d78e53489289dc0592d",
                     versionType: "git",
                  },
                  {
                     lessThan: "57177c5f47a8da852f8d76cf6945cf803f8bb9e5",
                     status: "affected",
                     version: "cb167893f41e21e6bd283d78e53489289dc0592d",
                     versionType: "git",
                  },
                  {
                     lessThan: "b379b3162ff55a70464c6a934ae9bf0497478a62",
                     status: "affected",
                     version: "cb167893f41e21e6bd283d78e53489289dc0592d",
                     versionType: "git",
                  },
                  {
                     lessThan: "a099834a51ccf9bbba3de86a251b3433539abfde",
                     status: "affected",
                     version: "cb167893f41e21e6bd283d78e53489289dc0592d",
                     versionType: "git",
                  },
                  {
                     lessThan: "26bb7d991f04eeef47dfad23e533834995c26f7a",
                     status: "affected",
                     version: "cb167893f41e21e6bd283d78e53489289dc0592d",
                     versionType: "git",
                  },
                  {
                     lessThan: "15a901361ec3fb1c393f91880e1cbf24ec0a88bd",
                     status: "affected",
                     version: "cb167893f41e21e6bd283d78e53489289dc0592d",
                     versionType: "git",
                  },
               ],
            },
            {
               defaultStatus: "affected",
               product: "Linux",
               programFiles: [
                  "net/ipv4/ipmr_base.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     status: "affected",
                     version: "4.20",
                  },
                  {
                     lessThan: "4.20",
                     status: "unaffected",
                     version: "0",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.4.*",
                     status: "unaffected",
                     version: "5.4.291",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.10.*",
                     status: "unaffected",
                     version: "5.10.235",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.15.*",
                     status: "unaffected",
                     version: "5.15.179",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.1.*",
                     status: "unaffected",
                     version: "6.1.129",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.6.*",
                     status: "unaffected",
                     version: "6.6.76",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.12.*",
                     status: "unaffected",
                     version: "6.12.13",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.13.*",
                     status: "unaffected",
                     version: "6.13.2",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "*",
                     status: "unaffected",
                     version: "6.14",
                     versionType: "original_commit_for_fix",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr: do not call mr_mfc_uses_dev() for unres entries\n\nsyzbot found that calling mr_mfc_uses_dev() for unres entries\nwould crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif\nalias to \"struct sk_buff_head unresolved\", which contain two pointers.\n\nThis code never worked, lets remove it.\n\n[1]\nUnable to handle kernel paging request at virtual address ffff5fff2d536613\nKASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]\nModules linked in:\nCPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]\n pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334\n lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]\n lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334\nCall trace:\n  mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)\n  mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)\n  mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382\n  ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648\n  rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327\n  rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791\n  netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317\n  netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973\n  sock_recvmsg_nosec net/socket.c:1033 [inline]\n  sock_recvmsg net/socket.c:1055 [inline]\n  sock_read_iter+0x2d8/0x40c net/socket.c:1125\n  new_sync_read fs/read_write.c:484 [inline]\n  vfs_read+0x740/0x970 fs/read_write.c:565\n  ksys_read+0x15c/0x26c fs/read_write.c:708",
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-24T15:39:18.090Z",
            orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            shortName: "Linux",
         },
         references: [
            {
               url: "https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1",
            },
            {
               url: "https://git.kernel.org/stable/c/53df27fd38f84bd3cd6b004eb4ff3c4903114f1d",
            },
            {
               url: "https://git.kernel.org/stable/c/547ef7e8cbb98f966c8719a3e15d4e078aaa9b47",
            },
            {
               url: "https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5",
            },
            {
               url: "https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62",
            },
            {
               url: "https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde",
            },
            {
               url: "https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a",
            },
            {
               url: "https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd",
            },
         ],
         title: "ipmr: do not call mr_mfc_uses_dev() for unres entries",
         x_generator: {
            engine: "bippy-5f407fcff5a0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      assignerShortName: "Linux",
      cveId: "CVE-2025-21719",
      datePublished: "2025-02-27T02:07:28.573Z",
      dateReserved: "2024-12-29T08:45:45.753Z",
      dateUpdated: "2025-03-24T15:39:18.090Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2025-21719\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T02:15:15.580\",\"lastModified\":\"2025-03-13T13:15:49.913\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipmr: do not call mr_mfc_uses_dev() for unres entries\\n\\nsyzbot found that calling mr_mfc_uses_dev() for unres entries\\nwould crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif\\nalias to \\\"struct sk_buff_head unresolved\\\", which contain two pointers.\\n\\nThis code never worked, lets remove it.\\n\\n[1]\\nUnable to handle kernel paging request at virtual address ffff5fff2d536613\\nKASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]\\nModules linked in:\\nCPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]\\n pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334\\n lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]\\n lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334\\nCall trace:\\n  mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)\\n  mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)\\n  mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382\\n  ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648\\n  rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327\\n  rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791\\n  netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317\\n  netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973\\n  sock_recvmsg_nosec net/socket.c:1033 [inline]\\n  sock_recvmsg net/socket.c:1055 [inline]\\n  sock_read_iter+0x2d8/0x40c net/socket.c:1125\\n  new_sync_read fs/read_write.c:484 [inline]\\n  vfs_read+0x740/0x970 fs/read_write.c:565\\n  ksys_read+0x15c/0x26c fs/read_write.c:708\"},{\"lang\":\"es\",\"value\":\"En el núcleo de Linux, se ha resuelto la siguiente vulnerabilidad: ipmr: no llamar a mr_mfc_uses_dev() para entradas no resueltas syzbot descubrió que llamar a mr_mfc_uses_dev() para entradas no resueltas provocaría un bloqueo [1], porque c->mfc_un.res.minvif / c->mfc_un.res.maxvif son alias de \\\"struct sk_buff_head unresolved\\\", que contienen dos punteros. Este código nunca funcionó, eliminémoslo. [1] No se puede manejar la solicitud de paginación del kernel en la dirección virtual ffff5fff2d536613 KASAN: tal vez un acceso a memoria salvaje en el rango [0xfffefff96a9b3098-0xfffefff96a9b309f] Módulos vinculados: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 No contaminado 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [en línea] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [en línea] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Rastreo de llamadas: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [en línea] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [en línea] sock_recvmsg net/socket.c:1055 [en línea] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [en línea] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/53df27fd38f84bd3cd6b004eb4ff3c4903114f1d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/547ef7e8cbb98f966c8719a3e15d4e078aaa9b47\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.