OESA-2025-2470

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

NFSD: Protect against send buffer overflow in NFSv2 READ

Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply at the same time.

Once an RPC Call has been received, svcprocess() updates svcrqst::rqres to describe the part of rqpages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large.

A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case.(CVE-2022-50410)

In the Linux kernel, the following vulnerability has been resolved:

tracing: Limit access to parser->buffer when tracegetuser failed

When the length of the string written to setftracefilter exceeds FTRACEBUFFMAX, the following KASAN alarm will be triggered:

BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/165

CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty Hardware name: linux,dummy-virt (DT) Call trace: showstack+0x34/0x50 (C) dumpstacklvl+0xa0/0x158 printaddressdescription.constprop.0+0x88/0x398 printreport+0xb0/0x280 kasanreport+0xa4/0xf0 asanreportload1noabort+0x20/0x30 strsep+0x18c/0x1b0 ftraceprocessregex.isra.0+0x100/0x2d8 ftraceregexrelease+0x484/0x618 _fput+0x364/0xa58 _fput+0x28/0x40 taskworkrun+0x154/0x278 donotifyresume+0x1f0/0x220 el0svc+0xec/0xf0 el0t64synchandler+0xa0/0xe8 el0t64sync+0x1ac/0x1b0

The reason is that tracegetuser will fail when processing a string longer than FTRACEBUFFMAX, but not set the end of parser->buffer to 0. Then an OOB access will be triggered in ftraceregexrelease-> ftraceprocessregex->strsep->strpbrk. We can solve this problem by limiting access to parser->buffer when tracegetuser failed.(CVE-2025-39683)

In the Linux kernel, the following vulnerability has been resolved:

vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects

When the "proxy" option is enabled on a VXLAN device, the device will suppress ARP requests and IPv6 Neighbor Solicitation messages if it is able to reply on behalf of the remote host. That is, if a matching and valid neighbor entry is configured on the VXLAN device whose MAC address is not behind the "any" remote (0.0.0.0 / ::).

The code currently assumes that the FDB entry for the neighbor's MAC address points to a valid remote destination, but this is incorrect if the entry is associated with an FDB nexthop group. This can result in a NPD [1][3] which can be reproduced using [2][4].

Fix by checking that the remote destination exists before dereferencing it.

[1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:vxlanxmit+0xb58/0x15f0 [...] Call Trace: <TASK> devhardstartxmit+0x5d/0x1c0 _devqueuexmit+0x246/0xfd0 packetsendmsg+0x113a/0x1850 _socksendmsg+0x38/0x70 _syssendto+0x126/0x180 _x64syssendto+0x24/0x30 dosyscall64+0xa4/0x260 entrySYSCALL64after_hwframe+0x4b/0x53

[2] #!/bin/bash

ip address add 192.0.2.1/32 dev lo

ip nexthop add id 1 via 192.0.2.2 fdb ip nexthop add id 10 group 1 fdb

ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy

ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0

bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10

arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3

[3] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014 RIP: 0010:vxlanxmit+0x803/0x1600 [...] Call Trace: <TASK> devhardstartxmit+0x5d/0x1c0 _devqueuexmit+0x246/0xfd0 ip6finishoutput2+0x210/0x6c0 ip6finishoutput+0x1af/0x2b0 ip6mroutput+0x92/0x3e0 ip6sendskb+0x30/0x90 rawv6sendmsg+0xe6e/0x12e0 _socksendmsg+0x38/0x70 _syssendto+0x126/0x180 _x64syssendto+0x24/0x30 dosyscall64+0xa4/0x260 entrySYSCALL64after_hwframe+0x4b/0x53 RIP: 0033:0x7f383422ec77

[4] #!/bin/bash

ip address add 2001:db8:1::1/128 dev lo

ip nexthop add id 1 via 2001:db8:1::1 fdb ip nexthop add id 10 group 1 fdb

ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy

ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0

bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10

ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0(CVE-2025-39850)