CVE-2025-39913
published 2025-10-01CVE-2025-39913: In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.
syzbot reported the splat below. [0]
The repro does the following:
1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)
2. Attach the prog to a SOCKMAP
3. Add a socket to the SOCKMAP
4. Activate fault injection
5. Send data less than cork_bytes
At 5., the data is carried over to the next sendmsg() as it is
smaller than the cork_bytes specified by bpf_msg_cork_bytes().
Then, tcp_bpf_send_verdict() tries to allocate psock->cork to hold
the data, but this fails silently due to fault injection + __GFP_NOWARN.
If the allocation fails, we need to revert the sk->sk_forward_alloc
change done by sk_msg_alloc().
Let's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate
psock->cork.
The "*copied" also needs to be updated such that a proper error can
be returned to the caller, sendmsg. It fails to allocate psock->cork.
Nothing has been corked so far, so this patch simply sets "*copied"
to 0.
[0]:
WARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983
Modules linked in:
CPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156
Code: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc
RSP: 0018:ffffc90000a08b48 EFLAGS: 00010246
RAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80
RDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000
RBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4
R10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380
R13: dffffc0000000000 R14: ffff88807e
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 4f738adba30a7cfc006f605707e7aee847ffefa0 < 08f58d10f5abf11d297cc910754922498c921f91 | 08f58d10f5abf11d297cc910754922498c921f91 |
| linux | linux | >= 4f738adba30a7cfc006f605707e7aee847ffefa0 < 05366527f44cf4b884f3d9462ae8009be9665856 | 05366527f44cf4b884f3d9462ae8009be9665856 |
| linux | linux | >= 4f738adba30a7cfc006f605707e7aee847ffefa0 < 7429b8b9bfbc276fd304fbaebc405f46b421fedf | 7429b8b9bfbc276fd304fbaebc405f46b421fedf |
| linux | linux | >= 4f738adba30a7cfc006f605707e7aee847ffefa0 < 9c2a6456bdf9794474460d885c359b6c4522d6e3 | 9c2a6456bdf9794474460d885c359b6c4522d6e3 |
| linux | linux | >= 4f738adba30a7cfc006f605707e7aee847ffefa0 < 66bcb04a441fbf15d66834b7e3eefb313dd750c8 | 66bcb04a441fbf15d66834b7e3eefb313dd750c8 |
| linux | linux | >= 4f738adba30a7cfc006f605707e7aee847ffefa0 < 539920180c55f5e13a2488a2339f94e6b8cb69e0 | 539920180c55f5e13a2488a2339f94e6b8cb69e0 |
| linux | linux | >= 4f738adba30a7cfc006f605707e7aee847ffefa0 < de89e58368f8f07df005ecc1c86ad94898a999f2 | de89e58368f8f07df005ecc1c86ad94898a999f2 |
| linux | linux | >= 4f738adba30a7cfc006f605707e7aee847ffefa0 < a3967baad4d533dc254c31e0d221e51c8d223d58 | a3967baad4d533dc254c31e0d221e51c8d223d58 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.247-1 | 5.10.247-1 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.8-1 | 6.16.8-1 |
| linux | linux_kernel | >= 0 < 5.15.0-170.180 | 5.15.0-170.180 |
| linux | linux_kernel | >= 0 < 6.8.0-106.106 | 6.8.0-106.106 |
| linux | linux_kernel | >= 4.17 < 5.4.300 | 5.4.300 |
| linux | linux_kernel | >= 5.11 < 5.15.194 | 5.15.194 |
| linux | linux_kernel | >= 5.16 < 6.1.153 | 6.1.153 |
| linux | linux_kernel | >= 5.5 < 5.10.245 | 5.10.245 |
| linux | linux_kernel | >= 6.13 < 6.16.8 | 6.16.8 |
| linux | linux_kernel | >= 6.2 < 6.6.107 | 6.6.107 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH