CVE-2025-21680 - Linux Kernel Vulnerability Resolution: Avoiding Out-of-Bounds Access in get_imix_entries

In the Linux kernel, a significant vulnerability, marked as CVE-2025-21680, has been resolved. This vulnerability revolves around the pktgen functionality, specifically the get_imix_entries function that was exposed to out-of-bounds access issues. Linux Verification Center (linuxtesting.org) located this vulnerability with the help of SVACE, which was crucial in addressing the issue.

Exploit Details

The vulnerability occurs when pkt_dev->imix_entries array becomes exposed to invalid access, as a result of an inadequate boundary check. To put it simply, if too many imix entries are passed into the function, it would end up in an out-of-bounds error in the pkt_dev->imix_entries array.

Upon conducting debugging, UBSAN (Undefined Behavior Sanitizer) reported the following out-of-bounds error in net/core/pktgen.c:874:24 in the Linux kernel:

UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24
index 20 is out of range for type 'imix_pkt [20]'

Through further investigation, an issue was found in the get_imix_entries function, as seen below

static int get_imix_entries(struct pktgen_dev *pkt_dev, const char *imix)
{
    char *pos, *org;
    int i;

    org = pos = kstrdup(imix, GFP_KERNEL);
    if (!org)
        return -ENOMEM;

    for (i = ; i < ARRAY_SIZE(pkt_dev->imix_entries); ) {
        char *buf, *token;

        buf = skip_spaces(pos);
        token = strsep(&buf, "/");
        if (!token)
            break;

        pos = buf;

        if (!kstrtou32(token, , &pkt_dev->imix_entries[i])) {
            i++;
            continue;
        }
        break;
    }
    kfree(org);
    return i;
}

What this code does is iterate through the pkt_dev->imix_entries array with the help of a loop. However, this array traversal is not properly bounded, which leads to out-of-bounds access attempts upon receiving exceeding imix entries.

The Resolution

To address this vulnerability, the following patch has been suggested, with fp changes to allow the array to be completely filled while ensuring minor changelog cleanup:

static int get_imix_entries(struct pktgen_dev *pkt_dev, const char *imix)
{
    char *pos, *org;
    int i;

    org = pos = kstrdup(imix, GFP_KERNEL);
    if (!org)
        return -ENOMEM;

+    for (i = ; i < ARRAY_SIZE(pkt_dev->imix_entries) - 1; ) {
-    for (i = ; i < ARRAY_SIZE(pkt_dev->imix_entries); ) {
        char *buf, *token;

        buf = skip_spaces(pos);
        token = strsep(&buf, "/");
        if (!token)
            break;

        pos = buf;

        if (!kstrtou32(token, , &pkt_dev->imix_entries[i])) {
            i++;
            continue;
        }
        break;
    }
    kfree(org);
    return i;
}

This patch adjusts the loop condition to prevent out-of-bounds access by ensuring that the array traversal is safe within its boundaries. In doing so, this fixes the vulnerability CVE-2025-21680 in the Linux kernel.

References

- Linux Verification Center (linuxtesting.org): https://linuxtesting.org/
- SVACE: https://www.fedoraproject.org/wiki/Changes/StaticAnalysisWithSVACE
- Linux Kernel: net/core/pktgen.c - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/core/pktgen.c

Timeline

Published on: 01/31/2025 12:15:29 UTC
Last modified on: 02/04/2025 15:28:08 UTC