CVE-2025-40357
- Source
- https://cve.org/CVERecord?id=CVE-2025-40357
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40357.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40357
- Downstream
- Published
- 2025-12-16T13:30:29.758Z
- Modified
- 2025-12-16T20:26:17.491310Z
- Summary
- net/smc: fix general protection fault in __smc_diag_dump
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix general protection fault in _smcdiag_dump
The syzbot report a crash:
Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smcdiagmsgcommonfill net/smc/smcdiag.c:44 [inline] RIP: 0010:smcdiagdump.constprop.0+0x3ca/0x2550 net/smc/smcdiag.c:89 Call Trace: <TASK> smcdiagdumpproto+0x26d/0x420 net/smc/smcdiag.c:217 smcdiagdump+0x27/0x90 net/smc/smcdiag.c:234 netlinkdump+0x539/0xd30 net/netlink/afnetlink.c:2327 _netlinkdumpstart+0x6d6/0x990 net/netlink/afnetlink.c:2442 netlinkdumpstart include/linux/netlink.h:341 [inline] smcdiaghandlerdump+0x1f9/0x240 net/smc/smcdiag.c:251 _sockdiagcmd net/core/sockdiag.c:249 [inline] sockdiagrcvmsg+0x438/0x790 net/core/sockdiag.c:285 netlinkrcvskb+0x158/0x420 net/netlink/afnetlink.c:2552 netlinkunicastkernel net/netlink/afnetlink.c:1320 [inline] netlinkunicast+0x5a7/0x870 net/netlink/afnetlink.c:1346 netlinksendmsg+0x8d1/0xdd0 net/netlink/afnetlink.c:1896 socksendmsgnosec net/socket.c:714 [inline] _socksendmsg net/socket.c:729 [inline] _syssendmsg+0xa95/0xc70 net/socket.c:2614 _syssendmsg+0x134/0x1d0 net/socket.c:2668 _syssendmsg+0x16d/0x220 net/socket.c:2700 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x4e0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>
The process like this:
(CPU1) | (CPU2)---------------------------------|------------------------------- inetcreate() | // init clcsock to NULL | sk = skalloc() | | // unexpectedly change clcsock | inetinitcsklocks() | | // add sk to hash table | smcinetinitsock() | smcskinit() | smchashsk() | | // traverse the hash table | smcdiagdumpproto | _smcdiagdump() | // visit wrong clcsock | smcdiagmsgcommonfill() // alloc clcsock | smccreateclcsk | sockcreatekern |
With CONFIGDEBUGLOCKALLOC=y, the smc->clcsock is unexpectedly changed in inetinitcsklocks(). The INETPROTOSWICSK flag is no need by smc, just remove it.
After removing the INETPROTOSWICSK flag, this patch alse revert commit 6fd27ea183c2 ("net/smc: fix lacks of icsksynmss with IPPROTOSMC") to avoid casting smcsock to inetconnectionsock.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40357.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2
- https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3
- https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40357.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40357
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd25a92ccae6bed02327b63d138e12e7806830f78Fixed5b6fc95c4a161326567bdf12a333768565b638f2Fixed99b5b3faf3220ba1cdab8e6e42be4f3f993937c3Fixedf584239a9ed25057496bf397c370cc5163dde419