CVE-2025-22056 Information

Apr 17, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

netfilter: nft_tunnel: fix geneve_opt type confusion addition

When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes the parsing logic should place every geneve_opt structure one by one compactly. Hence when deciding the next geneve_opt position the pointer addition should be in units of char .

However the current implementation erroneously does type conversion before the addition which will lead to heap out-of-bounds write.

[ 6.989857] ================================================================== [ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70 [ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178 [ 6.991162] [ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 1 [ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX 1996) BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 6.992281] Call Trace: [ 6.992423] [ 6.992586] dump_stack_lvl+0x44/0x5c [ 6.992801] print_report+0x184/0x4be [ 6.993790] kasan_report+0xc5/0x100 [ 6.994252] kasan_check_range+0xf3/0x1a0 [ 6.994486] memcpy+0x38/0x60 [ 6.994692] nft_tunnel_obj_init+0x977/0xa70 [ 6.995677] nft_obj_init+0x10c/0x1b0 [ 6.995891] nf_tables_newobj+0x585/0x950 [ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020 [ 6.998997] nfnetlink_rcv+0x1df/0x220 [ 6.999537] netlink_unicast+0x395/0x530 [ 7.000771] netlink_sendmsg+0x3d0/0x6d0 [ 7.001462] __sock_sendmsg+0x99/0xa0 [ 7.001707] ____sys_sendmsg+0x409/0x450 [ 7.002391] ___sys_sendmsg+0xfd/0x170 [ 7.003145] __sys_sendmsg+0xea/0x170 [ 7.004359] do_syscall_64+0x5e/0x90 [ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 7.006127] RIP: 0033:0x7ec756d4e407 [ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407 [ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003 [ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000 [ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8

Fix this bug with correct pointer addition and conversion in parse and dump code.

Reference

https://git.kernel.org/stable/c/0a93a710d6df334b828ea064c6d39fda34f901dc https://git.kernel.org/stable/c/1b755d8eb1ace3870789d48fbd94f386ad6e30be https://git.kernel.org/stable/c/28d88ee1e1cc8ac2d79aeb112717b97c5c833d43 https://git.kernel.org/stable/c/31d49eb436f2da61280508d7adf8c9b473b967aa https://git.kernel.org/stable/c/446d94898c560ed2f61e26ae445858a4c4830762 https://git.kernel.org/stable/c/708e268acb3a446ad2a8a3d2e9bd41cc23660cd6 https://git.kernel.org/stable/c/a263d31c8c92e5919d41af57d9479cfb66323782 https://git.kernel.org/stable/c/ca2adfc03cd6273f0b589fe65afc6f75e0fe116e

Share on: