[PATCH openEuler-1.0-LTS 0/2] net: Fix CVE-2025-21763
Fix CVE-2025-21763 Eric Dumazet (1): neighbour: use RCU protection in __neigh_notify() Li Zetao (1): neighbour: delete redundant judgment statements net/core/neighbour.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) -- 2.25.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/16109 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/FUH... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/16109 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/FUH...
From: Li Zetao <lizetao1@huawei.com> mainline inclusion from mainline-v6.12-rc1 commit c25bdd2ac8cf7da70a226f1a66cdce7af15ff86f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC59 CVE: CVE-2025-21763 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- The initial value of err is -ENOBUFS, and err is guaranteed to be less than 0 before all goto errout. Therefore, on the error path of errout, there is no need to repeatedly judge that err is less than 0, and delete redundant judgments to make the code more concise. Signed-off-by: Li Zetao <lizetao1@huawei.com> Reviewed-by: Petr Machata <petrm@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- net/core/neighbour.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 3f1520755282..0936a4f3f6f5 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -2940,8 +2940,7 @@ static void __neigh_notify(struct neighbour *n, int type, int flags, rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC); return; errout: - if (err < 0) - rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); + rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); } void neigh_app_ns(struct neighbour *n) -- 2.25.1
From: Eric Dumazet <edumazet@google.com> mainline inclusion from mainline-v6.14-rc3 commit becbd5850c03ed33b232083dd66c6e38c0c0e569 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC59 CVE: CVE-2025-21763 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. Fixes: 426b5303eb43 ("[NETNS]: Modify the neighbour table code so it handles multiple network namespaces") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: David Ahern <dsahern@kernel.org> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://patch.msgid.link/20250207135841.1948589-4-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- net/core/neighbour.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 0936a4f3f6f5..d827cfadddf0 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -2922,10 +2922,12 @@ static inline size_t neigh_nlmsg_size(void) static void __neigh_notify(struct neighbour *n, int type, int flags, u32 pid) { - struct net *net = dev_net(n->dev); struct sk_buff *skb; int err = -ENOBUFS; + struct net *net; + rcu_read_lock(); + net = dev_net_rcu(n->dev); skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC); if (skb == NULL) goto errout; @@ -2938,9 +2940,11 @@ static void __neigh_notify(struct neighbour *n, int type, int flags, goto errout; } rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC); - return; + goto out; errout: rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); +out: + rcu_read_unlock(); } void neigh_app_ns(struct neighbour *n) -- 2.25.1
participants (2)
-
Dong Chenchen -
patchwork bot