CVE-2025-21921 Information

Apr 03, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device

ethnl_req_get_phydev() is used to lookup a phy_device in the case an ethtool netlink command targets a specific phydev within a netdev’s topology.

It takes as a parameter a const struct nlattr header that’s used for error handling :

   if (!phydev) 
           NL_SET_ERR_MSG_ATTR(extack header

o phy matching phyindex); return ERR_PTR(-ENODEV);

In the notify path after a ->set operation however there’s no request attributes available.

The typical callsite for the above function looks like:

phydev = ethnl_req_get_phydev(req_base tb[ETHTOOL_A_XXX_HEADER]
			      info->extack);

So when tb is NULL (such as in the ethnl notify path) we have a nice crash.

It turns out that there’s only the PLCA command that is in that case as the other phydev-specific commands don’t have a notification.

This commit fixes the crash by passing the cmd index and the nlattr array separately allowing NULL-checking it directly inside the helper.

Reference

https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897 https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213 https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061

Share on: