CVE-2025-39828
published 2025-09-16CVE-2025-39828: In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). syzbot reported the splat…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().
syzbot reported the splat below. [0]
When atmtcp_v_open() or atmtcp_v_close() is called via connect()
or close(), atmtcp_send_control() is called to send an in-kernel
special message.
The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.
Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc.
The notable thing is struct atmtcp_control is uAPI but has a
space for an in-kernel pointer.
struct atmtcp_control {
struct atmtcp_hdr hdr; /* must be first */
...
atm_kptr_t vcc; /* both directions */
...
} __ATM_API_ALIGN;
typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;
The special message is processed in atmtcp_recv_control() called
from atmtcp_c_send().
atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:
1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())
2. vcc_sendmsg()
The problem is sendmsg() does not validate the message length and
userspace can abuse atmtcp_recv_control() to overwrite any kptr
by atmtcp_control.
Let's add a new ->pre_send() hook to validate messages from sendmsg().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]
CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]
RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297
Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c
RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203
RAX: 00000000200000ab RBX: 0000000000000
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b502f16bad8f0a4cfbd023452766f21bfda39dde | b502f16bad8f0a4cfbd023452766f21bfda39dde |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0a6a6d4fb333f7afe22e59ffed18511a7a98efc8 | 0a6a6d4fb333f7afe22e59ffed18511a7a98efc8 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 62f368472b0aa4b5d91d9b983152855c6b6d8925 | 62f368472b0aa4b5d91d9b983152855c6b6d8925 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 51872b26429077be611b0a1816e0e722278015c3 | 51872b26429077be611b0a1816e0e722278015c3 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b | 3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b | 33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe | 3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a | ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.5-1 | 6.16.5-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-106.106 | 6.8.0-106.106 |
| linux | linux_kernel | >= 2.6.12.1 < 5.4.298 | 5.4.298 |
| linux | linux_kernel | >= 5.11 < 5.15.191 | 5.15.191 |
| linux | linux_kernel | >= 5.16 < 6.1.150 | 6.1.150 |
| linux | linux_kernel | >= 5.5 < 5.10.242 | 5.10.242 |
| linux | linux_kernel | >= 6.13 < 6.16.5 | 6.16.5 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH