fkie_cve-2025-21653
Vulnerability from fkie_nvd
Published
2025-01-19 11:15
Modified
2025-02-02 11:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values. UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1771 [inline] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [inline] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [inline] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2011749ca96460386844dfc7e0fde53ebee96f3c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/43658e4a5f2770ad94e93362885ff51c10cf3179
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6fde663f7321418996645ee602a473457640542f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9858f4afeb2e59506e714176bd3e135539a3eeec
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a039e54397c6a75b713b9ce7894a62e06956aa92
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a313d6e6d5f3a631cae5a241c392c28868aa5c5e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute\n\nsyzbot found that TCA_FLOW_RSHIFT attribute was not validated.\nRight shitfing a 32bit integer is undefined for large shift values.\n\nUBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23\nshift exponent 9445 is too large for 32-bit type \u0027u32\u0027 (aka \u0027unsigned int\u0027)\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: ipv6_addrconf addrconf_dad_work\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:231 [inline]\n  __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\n  flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329\n  tc_classify include/net/tc_wrapper.h:197 [inline]\n  __tcf_classify net/sched/cls_api.c:1771 [inline]\n  tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867\n  sfb_classify net/sched/sch_sfb.c:260 [inline]\n  sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318\n  dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793\n  __dev_xmit_skb net/core/dev.c:3889 [inline]\n  __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400\n  dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n  neigh_hh_output include/net/neighbour.h:523 [inline]\n  neigh_output include/net/neighbour.h:537 [inline]\n  ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\n  iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82\n  udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173\n  geneve_xmit_skb drivers/net/geneve.c:916 [inline]\n  geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039\n  __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n  netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n  xmit_one net/core/dev.c:3590 [inline]\n  dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606\n  __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net_sched: cls_flow: validar el atributo TCA_FLOW_RSHIFT syzbot encontr\u00f3 que el atributo TCA_FLOW_RSHIFT no estaba validado. El uso de un entero de 32 bits con valores de desplazamiento grandes no est\u00e1 definido. UBSAN: cambio fuera de los l\u00edmites en net/sched/cls_flow.c:329:23 El exponente de cambio 9445 es demasiado grande para el tipo de 32 bits \u0027u32\u0027 (tambi\u00e9n conocido como \u0027unsigned int\u0027) CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 No contaminado 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 Cola de trabajo: ipv6_addrconf addrconf_dad_work Seguimiento de llamadas:  __dump_stack lib/dump_stack.c:94 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [en l\u00ednea] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [en l\u00ednea] __tcf_classify net/sched/cls_api.c:1771 [en l\u00ednea] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [en l\u00ednea] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [en l\u00ednea] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [en l\u00ednea] neigh_hh_output include/net/neighbour.h:523 [en l\u00ednea] neigh_output include/net/neighbour.h:537 [en l\u00ednea] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [en l\u00ednea] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [en l\u00ednea] netdev_start_xmit include/linux/netdevice.h:5011 [en l\u00ednea] xmit_one net/core/dev.c:3590 [en l\u00ednea] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 red/n\u00facleo/dev.c:4434"
    }
  ],
  "id": "CVE-2025-21653",
  "lastModified": "2025-02-02T11:15:15.557",
  "metrics": {},
  "published": "2025-01-19T11:15:10.940",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2011749ca96460386844dfc7e0fde53ebee96f3c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/43658e4a5f2770ad94e93362885ff51c10cf3179"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6fde663f7321418996645ee602a473457640542f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9858f4afeb2e59506e714176bd3e135539a3eeec"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a039e54397c6a75b713b9ce7894a62e06956aa92"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a313d6e6d5f3a631cae5a241c392c28868aa5c5e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.