ghsa-fj46-x93r-g8xj
Vulnerability from github
Published
2025-12-16 15:30
Modified
2025-12-16 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix general protection fault in __smc_diag_dump

The syzbot report a crash:

Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89 Call Trace: smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217 smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234 netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327 __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442 netlink_dump_start include/linux/netlink.h:341 [inline] smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251 __sock_diag_cmd net/core/sock_diag.c:249 [inline] sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] _syssendmsg+0xa95/0xc70 net/socket.c:2614 _sys_sendmsg+0x134/0x1d0 net/socket.c:2668 __sys_sendmsg+0x16d/0x220 net/socket.c:2700 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The process like this:

           (CPU1)              |             (CPU2)

---------------------------------|------------------------------- inet_create() | // init clcsock to NULL | sk = sk_alloc() | | // unexpectedly change clcsock | inet_init_csk_locks() | | // add sk to hash table | smc_inet_init_sock() | smc_sk_init() | smc_hash_sk() | | // traverse the hash table | smc_diag_dump_proto | __smc_diag_dump() | // visit wrong clcsock | smc_diag_msg_common_fill() // alloc clcsock | smc_create_clcsk | sock_create_kern |

With CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc, just remove it.

After removing the INET_PROTOSW_ICSK flag, this patch alse revert commit 6fd27ea183c2 ("net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC") to avoid casting smc_sock to inet_connection_sock.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40357"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T14:15:47Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix general protection fault in __smc_diag_dump\n\nThe syzbot report a crash:\n\n  Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI\n  KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]\n  CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n  RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]\n  RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89\n  Call Trace:\n   \u003cTASK\u003e\n   smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217\n   smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234\n   netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327\n   __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442\n   netlink_dump_start include/linux/netlink.h:341 [inline]\n   smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251\n   __sock_diag_cmd net/core/sock_diag.c:249 [inline]\n   sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285\n   netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n   netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n   netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346\n   netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n   sock_sendmsg_nosec net/socket.c:714 [inline]\n   __sock_sendmsg net/socket.c:729 [inline]\n   ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614\n   ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668\n   __sys_sendmsg+0x16d/0x220 net/socket.c:2700\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   \u003c/TASK\u003e\n\nThe process like this:\n\n               (CPU1)              |             (CPU2)\n  ---------------------------------|-------------------------------\n  inet_create()                    |\n    // init clcsock to NULL        |\n    sk = sk_alloc()                |\n                                   |\n    // unexpectedly change clcsock |\n    inet_init_csk_locks()          |\n                                   |\n    // add sk to hash table        |\n    smc_inet_init_sock()           |\n      smc_sk_init()                |\n        smc_hash_sk()              |\n                                   | // traverse the hash table\n                                   | smc_diag_dump_proto\n                                   |   __smc_diag_dump()\n                                   |     // visit wrong clcsock\n                                   |     smc_diag_msg_common_fill()\n    // alloc clcsock               |\n    smc_create_clcsk               |\n      sock_create_kern             |\n\nWith CONFIG_DEBUG_LOCK_ALLOC=y, the smc-\u003eclcsock is unexpectedly changed\nin inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,\njust remove it.\n\nAfter removing the INET_PROTOSW_ICSK flag, this patch alse revert\ncommit 6fd27ea183c2 (\"net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\")\nto avoid casting smc_sock to inet_connection_sock.",
  "id": "GHSA-fj46-x93r-g8xj",
  "modified": "2025-12-16T15:30:43Z",
  "published": "2025-12-16T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40357"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.