DEBIAN-CVE-2025-40079

In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Sign extend struct ops return values properly The nsbpfqdisc selftest triggers a kernel panic: Unable to handle kernel paging request at virtual address ffffffffa38dbf58 Current testprogs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000 [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000 Oops [#1] Modules linked in: bpftestmod(OE) xtconntrack nlsiso88591 [...] [last unloaded: bpftestmod(OE)] CPU: 1 UID: 0 PID: 23584 Comm: testprogs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE Tainted: [W]=WARN, [O]=OOTMODULE, [E]=UNSIGNEDMODULE Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024 epc : _qdiscrun+0x82/0x6f0 ra : _qdiscrun+0x6e/0x6f0 epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550 gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180 t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0 s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001 a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000 a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049 s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000 s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0 s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000 s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000 t5 : 0000000000000000 t6 : ff60000093a6a8b6 status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d [<ffffffff80bd5c7a>] _qdiscrun+0x82/0x6f0 [<ffffffff80b6fe58>] _devqueuexmit+0x4c0/0x1128 [<ffffffff80b80ae0>] neighresolveoutput+0xd0/0x170 [<ffffffff80d2daf6>] ip6finishoutput2+0x226/0x6c8 [<ffffffff80d31254>] ip6finishoutput+0x10c/0x2a0 [<ffffffff80d31446>] ip6output+0x5e/0x178 [<ffffffff80d2e232>] ip6xmit+0x29a/0x608 [<ffffffff80d6f4c6>] inet6cskxmit+0xe6/0x140 [<ffffffff80c985e4>] _tcptransmitskb+0x45c/0xaa8 [<ffffffff80c995fe>] tcpconnect+0x9ce/0xd10 [<ffffffff80d66524>] tcpv6connect+0x4ac/0x5e8 [<ffffffff80cc19b8>] _inetstreamconnect+0xd8/0x318 [<ffffffff80cc1c36>] inetstreamconnect+0x3e/0x68 [<ffffffff80b42b20>] _sysconnectfile+0x50/0x88 [<ffffffff80b42bee>] _sysconnect+0x96/0xc8 [<ffffffff80b42c40>] _riscvsysconnect+0x20/0x30 [<ffffffff80e5bcae>] dotrapecallu+0x256/0x378 [<ffffffff80e69af2>] handleexception+0x14a/0x156 Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709 ---[ end trace 0000000000000000 ]--- The bpffifo_dequeue prog returns a skb which is a pointer. The pointer is treated as a 32bit value and sign extend to 64bit in epilogue. This behavior is right for most bpf prog types but wrong for struct ops which requires RISC-V ABI. So let's sign extend struct ops return values according to the function model and RISC-V ABI([0]). [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf