CVE-2025-38224

{"id": "CVE-2025-38224", "cveTags": [], "metrics": {}, "published": "2025-07-04T14:15:31.110", "references": [{"url": "https://git.kernel.org/stable/c/54ec8b08216f3be2cc98b33633d3c8ea79749895", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a6550c9aa11e2f57f9cdaa6249cdd44d446be874", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d8a054b6e6824a8b52c3977ebd38c9583a63efac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_pciefd: refine error prone echo_skb_max handling logic\n\necho_skb_max should define the supported upper limit of echo_skb[]\nallocated inside the netdevice's priv. The corresponding size value\nprovided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT\nwhich is 17.\n\nBut later echo_skb_max is rounded up to the nearest power of two (for the\nmax case, that would be 32) and the tx/ack indices calculated further\nduring tx/rx may exceed the upper array boundary. Kasan reported this for\nthe ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit\nfunction has actually caught the same thing earlier.\n\n BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528\n Read of size 8 at addr ffff888105e4f078 by task swapper/4/0\n\n CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary)\n Call Trace:\n <IRQ>\n dump_stack_lvl lib/dump_stack.c:122\n print_report mm/kasan/report.c:521\n kasan_report mm/kasan/report.c:634\n kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528\n kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605\n kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656\n kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684\n kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733\n __handle_irq_event_percpu kernel/irq/handle.c:158\n handle_irq_event kernel/irq/handle.c:210\n handle_edge_irq kernel/irq/chip.c:833\n __common_interrupt arch/x86/kernel/irq.c:296\n common_interrupt arch/x86/kernel/irq.c:286\n </IRQ>\n\nTx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq\nnumbers' generation that's not the case - we're free to calculate them as\nwould be more convenient, not taking tx max count into account. The only\ndownside is that the size of echo_skb[] should correspond to the max seq\nnumber (not tx max count), so in some situations a bit more memory would\nbe consumed than could be.\n\nThus make the size of the underlying echo_skb[] sufficient for the rounded\nmax tx value.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: kvaser_pciefd: refinar la l\u00f3gica de manejo de echo_skb_max, propensa a errores. echo_skb_max deber\u00eda definir el l\u00edmite superior admitido de echo_skb[] asignado dentro del priv del dispositivo de red. El valor de tama\u00f1o correspondiente proporcionado por este controlador a alloc_candev() es KVASER_PCIEFD_CAN_TX_MAX_COUNT, que es 17. Sin embargo, posteriormente, echo_skb_max se redondea a la potencia de dos m\u00e1s cercana (para el caso m\u00e1ximo, ser\u00eda 32) y los \u00edndices de transmisi\u00f3n/recepci\u00f3n calculados posteriormente durante la transmisi\u00f3n/recepci\u00f3n pueden superar el l\u00edmite superior de la matriz. Kasan inform\u00f3 esto para el caso de confirmaci\u00f3n dentro de kvaser_pciefd_handle_ack_packet(), aunque la funci\u00f3n xmit ya hab\u00eda detectado el mismo problema anteriormente. ERROR: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 El recuento m\u00e1ximo de transmisiones es importante para kvaser_pciefd_tx_avail(), pero no para la generaci\u00f3n de n\u00fameros de secuencia. Podemos calcularlo como nos convenga, sin tener en cuenta el recuento m\u00e1ximo de transmisiones. La \u00fanica desventaja es que el tama\u00f1o de echo_skb[] deber\u00eda corresponder al n\u00famero m\u00e1ximo de secuencia (no al recuento m\u00e1ximo de transmisiones), por lo que, en algunos casos, se consumir\u00eda m\u00e1s memoria de la que se podr\u00eda. Por lo tanto, el tama\u00f1o de echo_skb[] subyacente debe ser suficiente para el valor m\u00e1ximo de transmisi\u00f3n redondeado. Encontrado por el Centro de Verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller."}], "lastModified": "2025-07-08T16:18:53.607", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}