CVE-2025-38224 Information
Description
In the Linux kernel the following vulnerability has been resolved:
can: kvaser_pciefd: refine error prone echo_skb_max handling logic
echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice’s priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17.
But later echo_skb_max is rounded up to the nearest power of two (for the max case that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet() though the xmit function has actually caught the same thing earlier.
BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0
CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 12 PREEMPT(voluntary)
Call Trace:
Tx max count definitely matters for kvaser_pciefd_tx_avail() but for seq numbers’ generation that’s not the case - we’re free to calculate them as would be more convenient not taking tx max count into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max count) so in some situations a bit more memory would be consumed than could be.
Thus make the size of the underlying echo_skb[] sufficient for the rounded max tx value.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Reference
https://git.kernel.org/stable/c/54ec8b08216f3be2cc98b33633d3c8ea79749895 https://git.kernel.org/stable/c/a6550c9aa11e2f57f9cdaa6249cdd44d446be874 https://git.kernel.org/stable/c/d8a054b6e6824a8b52c3977ebd38c9583a63efac
Related CNNVD
CNNVD-202507-434 (Published: 2025-07-04)
Share on: