ghsa-3w79-f82r-vfcx
Vulnerability from github
Published
2025-04-16 15:34
Modified
2025-04-16 15:34
Details

In the Linux kernel, the following vulnerability has been resolved:

net: fix NULL pointer dereference in l3mdev_l3_rcv

When delete l3s ipvlan:

ip link del link eth0 ipvlan1 type ipvlan mode l3s

This may cause a null pointer dereference:

Call trace:
 ip_rcv_finish+0x48/0xd0
 ip_rcv+0x5c/0x100
 __netif_receive_skb_one_core+0x64/0xb0
 __netif_receive_skb+0x20/0x80
 process_backlog+0xb4/0x204
 napi_poll+0xe8/0x294
 net_rx_action+0xd8/0x22c
 __do_softirq+0x12c/0x354

This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process like this:

(CPU1)                     | (CPU2)
l3mdev_l3_rcv()            |
  check dev->priv_flags:   |
    master = skb->dev;     |
                           |
                           | ipvlan_l3s_unregister()
                           |   set dev->priv_flags
                           |   dev->l3mdev_ops = NULL;
                           |
  visit master->l3mdev_ops |

To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-22103"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T15:16:04Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer dereference in l3mdev_l3_rcv\n\nWhen delete l3s ipvlan:\n\n    ip link del link eth0 ipvlan1 type ipvlan mode l3s\n\nThis may cause a null pointer dereference:\n\n    Call trace:\n     ip_rcv_finish+0x48/0xd0\n     ip_rcv+0x5c/0x100\n     __netif_receive_skb_one_core+0x64/0xb0\n     __netif_receive_skb+0x20/0x80\n     process_backlog+0xb4/0x204\n     napi_poll+0xe8/0x294\n     net_rx_action+0xd8/0x22c\n     __do_softirq+0x12c/0x354\n\nThis is because l3mdev_l3_rcv() visit dev-\u003el3mdev_ops after\nipvlan_l3s_unregister() assign the dev-\u003el3mdev_ops to NULL. The process\nlike this:\n\n    (CPU1)                     | (CPU2)\n    l3mdev_l3_rcv()            |\n      check dev-\u003epriv_flags:   |\n        master = skb-\u003edev;     |\n                               |\n                               | ipvlan_l3s_unregister()\n                               |   set dev-\u003epriv_flags\n                               |   dev-\u003el3mdev_ops = NULL;\n                               |\n      visit master-\u003el3mdev_ops |\n\nTo avoid this by do not set dev-\u003el3mdev_ops when unregister l3s ipvlan.",
  "id": "GHSA-3w79-f82r-vfcx",
  "modified": "2025-04-16T15:34:44Z",
  "published": "2025-04-16T15:34:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22103"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0032c99e83b9ce6d5995d65900aa4b6ffb501cce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9dff65140efc289f01bcf39c3ca66a8806b6132"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.