CVE-2025-21719
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708
Security Summary
CVE-2025-21719 is a vulnerability in the Linux kernel's IP multicast routing (ipmr) component, specifically in the mr_mfc_uses_dev() function within net/ipv4/ipmr_base.c. The issue arises when this function is called on unresolved (unres) multicast forwarding cache entries, which alias to a struct sk_buff_head containing pointers. This leads to an invalid memory access, such as a kernel paging request or wild-memory-access as reported by KASAN, resulting in a crash during operations like mr_table_dump.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). By triggering a netlink dump of ipmr routes via rtnetlink (e.g., through sock_recvmsg on a netlink socket), the attacker causes the kernel to invoke mr_mfc_uses_dev() on unres entries. This achieves high confidentiality impact (C:H) through potential memory disclosure and high availability impact (A:H) via kernel panic, with unchanged scope (S:U), as evidenced by the CVSS 3.1 score of 7.1 and CWE-125 (Out-of-bounds Read).
Mitigation involves applying kernel patches from stable releases, which remove the erroneous call to mr_mfc_uses_dev() for unres entries. Relevant commits include 15a901361ec3fb1c393f91880e1cbf24ec0a88bd, 26bb7d991f04eeef47dfad23e533834995c26f7a, 53df27fd38f84bd3cd6b004eb4ff3c4903114f1d, 547ef7e8cbb98f966c8719a3e15d4e078aaa9b47, and 57177c5f47a8da852f8d76cf6945cf803f8bb9e5, available at git.kernel.org/stable.
The vulnerability was discovered by syzbot fuzzing on kernel version 6.13.0-rc7, with no public reports of real-world exploitation.
Details
- CWE(s)