Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2025-22055

Description

In the Linux kernel, the following vulnerability has been resolved:net: fix geneve_opt length integer overflowstruct geneve_opt uses 5 bit length for each single option, whichmeans every vary size option should be smaller than 128 bytes.However, all current related Netlink policies cannot promise thislength condition and the attacker can exploit a exact 128-byte sizeoption to *fake* a zero length option and confuse the parsing logic,further achieve heap out-of-bounds read.One example crash log is like below:[ 3.905425] ==================================================================[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177[ 3.906646][ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014[ 3.907784] Call Trace:[ 3.907925] [ 3.908048] dump_stack_lvl+0x44/0x5c[ 3.908258] print_report+0x184/0x4be[ 3.909151] kasan_report+0xc5/0x100[ 3.909539] kasan_check_range+0xf3/0x1a0[ 3.909794] memcpy+0x1f/0x60[ 3.909968] nla_put+0xa9/0xe0[ 3.910147] tunnel_key_dump+0x945/0xba0[ 3.911536] tcf_action_dump_1+0x1c1/0x340[ 3.912436] tcf_action_dump+0x101/0x180[ 3.912689] tcf_exts_dump+0x164/0x1e0[ 3.912905] fw_dump+0x18b/0x2d0[ 3.913483] tcf_fill_node+0x2ee/0x460[ 3.914778] tfilter_notify+0xf4/0x180[ 3.915208] tc_new_tfilter+0xd51/0x10d0[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560[ 3.919118] netlink_rcv_skb+0xcd/0x200[ 3.919787] netlink_unicast+0x395/0x530[ 3.921032] netlink_sendmsg+0x3d0/0x6d0[ 3.921987] __sock_sendmsg+0x99/0xa0[ 3.922220] __sys_sendto+0x1b7/0x240[ 3.922682] __x64_sys_sendto+0x72/0x90[ 3.922906] do_syscall_64+0x5e/0x90[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8[ 3.924122] RIP: 0033:0x7e83eab84407[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8Fix these issues by enforing correct length condition in relatedpolicies.

POC

Reference

No PoCs from references.

Github

- https://github.com/runwhen-contrib/helm-charts

- https://github.com/w4zu/Debian_security