From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6912F2EE616
	for <linux-cve-announce@vger.kernel.org>; Fri, 25 Jul 2025 15:29:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1753457369; cv=none; b=lM5K3xnjI1uK0UQNsv3keU26/+ns0Checvu7k7Wf4+3D7la4/HRgWIEcecC1oPohLoqderNvwMxwrEGc9UigvIGhwbpaja5+5Lsg2sm9vVXII4XD5zyACk4FKEmBtedC3e2BRkA231nUU8UqCZYaHzleYzLR4iYITb1Ccpfmcd8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1753457369; c=relaxed/simple;
	bh=RVGRupqQhO9tT37FkshpzHM0YjWK7To8BFfxUAWKUb0=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Ha97+Ns72VrsGrHSN1rcTHtojASPDM/Ob0ThJEIlsH/dm1fkM9Qna2RCZz+1F58AQayboiKIQBncMAwMNF9MGTKIEI8kmtKSsC00X46M6FcmDy6eyPrOFkNwNTUMPSTe9eXwRe4lb0t3YRAGUmvbSOPWaXW5tw9qTiKabZx//WM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=UDWofnjw; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="UDWofnjw"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 72CB5C4CEE7;
	Fri, 25 Jul 2025 15:29:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1753457368;
	bh=RVGRupqQhO9tT37FkshpzHM0YjWK7To8BFfxUAWKUb0=;
	h=From:To:Cc:Subject:Date:Reply-to:From;
	b=UDWofnjw7a7LOEr/pYc2R6mG1CVbcxb0s0je5EDtE4Zs9oBaQVYgAkEGDzKl7Ak1D
	 nUC/fkT2mTf5W4o8cZn2G7fAQsMhTk0OmXEbjJq8hNfTNkLODq7qR/WnS4BatnQnpD
	 +LreZJzCHhWh3QwFdtjXcivYlGMAfkTc/AfWpOF4=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@kernel.org>
Subject: CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push().
Date: Fri, 25 Jul 2025 17:28:21 +0200
Message-ID: <2025072507-CVE-2025-38459-e941@gregkh>
X-Mailer: git-send-email 2.50.1
Precedence: bulk
X-Mailing-List: linux-cve-announce@vger.kernel.org
List-Id: <linux-cve-announce.vger.kernel.org>
List-Subscribe: <mailto:linux-cve-announce+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-cve-announce+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
X-Developer-Signature: v=1; a=openpgp-sha256; l=6571; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=YKcAdZmovIc/GhBIFQbaq6MmkDxjwXc6TlzV1G2Pygc=; b=owGbwMvMwCRo6H6F97bub03G02pJDBnNi9rbluSnx3Jnt4U4heZ8KP+99MWWnbactzJZVJald /5LfdnVEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABN5eJdhwbHaCV3V4tUtS05E Prn4K/DpHc4LFxgW3AjpWtWwW/BaQjXbnpeNs/q3TH3uBAA=
X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
Content-Transfer-Encoding: 8bit

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

atm: clip: Fix infinite recursive call of clip_push().

syzbot reported the splat below. [0]

This happens if we call ioctl(ATMARP_MKIP) more than once.

During the first call, clip_mkip() sets clip_push() to vcc->push(),
and the second call copies it to clip_vcc->old_push().

Later, when the socket is close()d, vcc_destroy_socket() passes
NULL skb to clip_push(), which calls clip_vcc->old_push(),
triggering the infinite recursion.

Let's prevent the second ioctl(ATMARP_MKIP) by checking
vcc->user_back, which is allocated by the first call as clip_vcc.

Note also that we use lock_sock() to prevent racy calls.

[0]:
BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)
Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191
Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00
RSP: 0018:ffffc9000d670000 EFLAGS: 00010246
RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000
RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e
R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300
R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578
FS:  000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 clip_push+0x6dc/0x720 net/atm/clip.c:200
 clip_push+0x6dc/0x720 net/atm/clip.c:200
 clip_push+0x6dc/0x720 net/atm/clip.c:200
...
 clip_push+0x6dc/0x720 net/atm/clip.c:200
 clip_push+0x6dc/0x720 net/atm/clip.c:200
 clip_push+0x6dc/0x720 net/atm/clip.c:200
 vcc_destroy_socket net/atm/common.c:183 [inline]
 vcc_release+0x157/0x460 net/atm/common.c:205
 __sock_release net/socket.c:647 [inline]
 sock_close+0xc0/0x240 net/socket.c:1391
 __fput+0x449/0xa70 fs/file_table.c:465
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff31c98e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f
R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c
R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090
 </TASK>
Modules linked in:

The Linux kernel CVE team has assigned CVE-2025-38459 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.296 with commit f493f31a63847624fd3199ac836a8bd8828e50e2
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.240 with commit 125166347d5676466d368aadc0bbc31ee7714352
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.189 with commit 5641019dfbaee5e85fe093b590f0451c9dd4d6f8
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.146 with commit 1579a2777cb914a249de22c789ba4d41b154509f
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.99 with commit 3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.39 with commit 024876b247a882972095b22087734dcd23396a4e
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.15.7 with commit df0312d8859763aa15b8b56ac151a1ea4a4e5b88
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.16-rc6 with commit c489f3283dbfc0f3c00c312149cae90d27552c45

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38459
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/atm/clip.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/f493f31a63847624fd3199ac836a8bd8828e50e2
	https://git.kernel.org/stable/c/125166347d5676466d368aadc0bbc31ee7714352
	https://git.kernel.org/stable/c/5641019dfbaee5e85fe093b590f0451c9dd4d6f8
	https://git.kernel.org/stable/c/1579a2777cb914a249de22c789ba4d41b154509f
	https://git.kernel.org/stable/c/3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31
	https://git.kernel.org/stable/c/024876b247a882972095b22087734dcd23396a4e
	https://git.kernel.org/stable/c/df0312d8859763aa15b8b56ac151a1ea4a4e5b88
	https://git.kernel.org/stable/c/c489f3283dbfc0f3c00c312149cae90d27552c45