From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8BFF3B8D73 for ; Mon, 8 Dec 2025 00:47:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765154850; cv=none; b=XedKrD5tsD8cltcCH+7Ra6ynXo/CDpgj/YK49DZs1ofsUkhjJ2bjLFEMEk5TQWcRwv2y8FJ1dDhCWc9sDh5ryH3drdxU+7guZmT074OjSyS+LijOlRZ3BsNhCrqwa8Ln9DxX3GBt861XEbU9mFxnWjlFspoqaWe+fTsksPtVH1w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765154850; c=relaxed/simple; bh=H/1c9Ve5ESx0JFirW0j1kZMbPUa/nok2+vdZXJ4Cm0U=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qblr7nXJIfTb2F7NE4TD+yNfBPdajzv8ISFYx1+2I66U4CeMqLyyKh7dEldBJhoajUjUT8urzx6f9w7QFypPt80t7ogA8GzKmkImSB1MIR14nYGhgUqqJ4ojVPS0caaxQR4Qcl99DUsizQgJk57nkPII259x0uop05Ik9LaP+Mg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=oOfVrcm2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="oOfVrcm2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A0CEC4CEFB; Mon, 8 Dec 2025 00:47:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1765154849; bh=H/1c9Ve5ESx0JFirW0j1kZMbPUa/nok2+vdZXJ4Cm0U=; h=From:To:Cc:Subject:Date:Reply-To:From; b=oOfVrcm2Ou9y5HUrP2MFUxbXZ2ULIY2r9tmo7cBbjlh+RlY3PdSpOl5CV6JsnLqh5 QveJTvFnu2tqY8nlaoUgwp/kdYlGBo2suL0LcQVPT6CENTeIWB9AqeLfM7rPvR4KRj efvngZFzmvGF0Z10kw5oeB7s7sfOAwQRRv9ErkoM= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2025-40292: virtio-net: fix received length check in big packets Date: Mon, 8 Dec 2025 09:47:17 +0900 Message-ID: <2025120818-CVE-2025-40292-e613@gregkh> X-Mailer: git-send-email 2.52.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3220; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=hDJ8YQ0P2cZ1jHAH0blh88aVUzDLBTHlIrBLUlVlRq8=; b=owGbwMvMwCRo6H6F97bub03G02pJDJlmCmIZfmKrzri1zP2nZ3nTKvKX4fuvW7dve1ab+bNu0 75rjyLlO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAim48xLOi667ehxuh7VHRE k0/LozMbZBk4PBkWzDLoOvU09QV7dPkHiYwv884Fq9e/AQA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change. The Linux kernel CVE team has assigned CVE-2025-40292 to this issue. Affected and fixed versions =========================== Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.1.159 with commit 82f9028e83944a9eee5229cbc6fee9be1de8a62d Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.6.117 with commit 946dec89c41726b94d31147ec528b96af0be1b5a Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.12.58 with commit 82fe78065450d2d07f36a22e2b6b44955cf5ca5b Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.17.8 with commit 3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2 Issue introduced in 6.1 with commit 4959aebba8c06992abafa09d1e80965e0825af54 and fixed in 6.18 with commit 0c716703965ffc5ef4311b65cb5d84a703784717 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40292 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/virtio_net.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/82f9028e83944a9eee5229cbc6fee9be1de8a62d https://git.kernel.org/stable/c/946dec89c41726b94d31147ec528b96af0be1b5a https://git.kernel.org/stable/c/82fe78065450d2d07f36a22e2b6b44955cf5ca5b https://git.kernel.org/stable/c/3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2 https://git.kernel.org/stable/c/0c716703965ffc5ef4311b65cb5d84a703784717