From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32436302151 for ; Tue, 13 Jan 2026 15:36:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768318581; cv=none; b=T3l/m4/wVeyGu2cq9QW7pUO3H/5G/+TC4DAJyA5tp9OgK4dsthdYuSMsJL8/XIARtexFqVtk2syhQngYX4Cm1o4i5Lwhzt+8g0UfnYBuwl6zZ32halYCRH+V/HbHyzpEhnQTR2LUpbwcK8SEuUXY1ob3v/S7oziGNV+CG8pdApA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768318581; c=relaxed/simple; bh=SYGV3V+U0Rh4XcuMfxh3HVCM6Plf8e7jCewHHNr1Zew=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=pV5yZ7r1fLm63vuKzZKP/IH3PeV4/lW6xyrSKkyK4guU4iv+h0GhKsfXQZxJNpt4qzkOYD65BXgHHg6HMA4Vz7UW8C4Crv948KPHJsoyvoaRgxTd5ZIzp89Pzma6DabHc6yyO/k6aa+Z0fc3qiIlZxAjVGu9HxUW9KcoK71JaXc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=yacZIR8F; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="yacZIR8F" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B418FC116C6; Tue, 13 Jan 2026 15:36:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1768318581; bh=SYGV3V+U0Rh4XcuMfxh3HVCM6Plf8e7jCewHHNr1Zew=; h=From:To:Cc:Subject:Date:Reply-To:From; b=yacZIR8FPWJOARLCpJtcSgWV/XK0TlImWcDM8biCUripl7loaVzpcJzo4VlkTqlKy ma/z0Prwjg8m9gjturTddYv8UPE3TJhG+ViQapg2QlnqOWEv0kWTREoFsabAegAfik kVpc14AloSbxLIPNlEPvduT+0ruorX4Orzjj4TN0= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2025-71096: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Date: Tue, 13 Jan 2026 16:35:55 +0100 Message-ID: <2026011344-CVE-2025-71096-fb73@gregkh> X-Mailer: git-send-email 2.52.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5180; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=G6MAOXE9V84bR0ryDPHqOq8+wxWiJdcAWMzprkU3ezs=; b=owGbwMvMwCRo6H6F97bub03G02pJDJlpaQHtHzYmzz4Vov0yqnDnyT3heodfPn+RrX81q0Wov Lje70hyRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzErJhhJmNaupravq8vNf42 3LlYeuG85NzU2wzzvazMX5mvdQ56PsXzstLOFXafs/qNAQ== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 The Linux kernel CVE team has assigned CVE-2025-71096 to this issue. Affected and fixed versions =========================== Issue introduced in 4.7 with commit ae43f8286730d1f2d241c34601df59f6d2286ac4 and fixed in 6.1.160 with commit 45532638de5da24c201aa2a9b3dd4b054064de7b Issue introduced in 4.7 with commit ae43f8286730d1f2d241c34601df59f6d2286ac4 and fixed in 6.6.120 with commit 9d85524789c2f17c0e87de8d596bcccc3683a1fc Issue introduced in 4.7 with commit ae43f8286730d1f2d241c34601df59f6d2286ac4 and fixed in 6.12.64 with commit acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec Issue introduced in 4.7 with commit ae43f8286730d1f2d241c34601df59f6d2286ac4 and fixed in 6.18.4 with commit 0b948afc1ded88b3562c893114387f34389eeb94 Issue introduced in 4.7 with commit ae43f8286730d1f2d241c34601df59f6d2286ac4 and fixed in 6.19-rc4 with commit a7b8e876e0ef0232b8076972c57ce9a7286b47ca Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71096 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/infiniband/core/addr.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94 https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca