CVE-2025-37865 Information

May 10, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported

Russell King reports that on the ZII dev rev B deleting a bridge VLAN from a user port fails with -ENOENT: https://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/

This comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put() which tries to find an MST entry in &chip->msts associated with the SID but fails and returns -ENOENT as such.

But we know that this chip does not support MST at all so that is not surprising. The question is why does the guard in mv88e6xxx_mst_put() not exit early:

if (!sid)
	return 0;

And the answer seems to be simple: the sid comes from vlan.sid which supposedly was previously populated by mv88e6xxx_vtu_get(). But some chip->info->ops->vtu_getnext() implementations do not populate vlan.sid for example see mv88e6185_g1_vtu_getnext(). In that case later in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is just residual stack memory.

Testing for sid == 0 covers all cases of a non-bridge VLAN or a bridge VLAN mapped to the default MSTI. For some chips SID 0 is valid and installed by mv88e6xxx_stu_setup(). A chip which does not support the STU would implicitly only support mapping all VLANs to the default MSTI so although SID 0 is not valid it would be sufficient if we were to zero-initialize the vlan structure to fix the bug due to the coincidence that a test for vlan.sid == 0 already exists and leads to the same (correct) behavior.

Another option which would be sufficient would be to add a test for mv88e6xxx_has_stu() inside mv88e6xxx_mst_put() symmetric to the one which already exists in mv88e6xxx_mst_get(). But that placement means the caller will have to dereference vlan.sid which means it will access uninitialized memory which is not nice even if it ignores it later.

So we end up making both modifications in order to not rely just on the sid == 0 coincidence but also to avoid having uninitialized structure fields which might get temporarily accessed.

Reference

https://git.kernel.org/stable/c/35cde75c08a1fa1a5ac0467afe2709caceeef002 https://git.kernel.org/stable/c/9da4acbd60664271d34a627f7f63cd5bad8eba74 https://git.kernel.org/stable/c/9ee6d3a368ed34f2457863da3085c676e9e37a3d https://git.kernel.org/stable/c/afae9087301471970254a9180e5a26d3d8e8af09 https://git.kernel.org/stable/c/ea08dfc35f83cfc73493c52f63ae4f2e29edfe8d

Share on: