Bug 2360269 (CVE-2025-22103)
| Summary: | CVE-2025-22103 kernel: net: fix NULL pointer dereference in l3mdev_l3_rcv | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dfreiber, drow, jburrell, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
CVE-2025-22103 is a bug in the Linux operating system that affects how it handles certain virtual network interfaces called IPvlan interfaces, specifically when they're running in a special mode called L3S (Layer 3 Simplified). These virtual interfaces are often used in advanced networking setups, like containers or virtual machines.
The problem happens when one of these virtual interfaces is being deleted. If the system is still trying to use it at the exact moment it's being removed, Linux might try to access something that's already gone. This leads to a situation where the system hits an error and crashes completely — resulting in a kernel panic (essentially a Linux version of a system-wide crash).
The root of the problem is that Linux doesn't always wait for things to finish properly before cleaning up, which opens a short window where one part of the system thinks the interface still exists, while another part has already removed it.
The issue has been fixed in newer versions of the Linux kernel (starting from version 6.15-rc1), so applying the latest updates will prevent this crash from occurring.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
In the Linux kernel, the following vulnerability has been resolved: net: fix NULL pointer dereference in l3mdev_l3_rcv When delete l3s ipvlan: ip link del link eth0 ipvlan1 type ipvlan mode l3s This may cause a null pointer dereference: Call trace: ip_rcv_finish+0x48/0xd0 ip_rcv+0x5c/0x100 __netif_receive_skb_one_core+0x64/0xb0 __netif_receive_skb+0x20/0x80 process_backlog+0xb4/0x204 napi_poll+0xe8/0x294 net_rx_action+0xd8/0x22c __do_softirq+0x12c/0x354 This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process like this: (CPU1) | (CPU2) l3mdev_l3_rcv() | check dev->priv_flags: | master = skb->dev; | | | ipvlan_l3s_unregister() | set dev->priv_flags | dev->l3mdev_ops = NULL; | visit master->l3mdev_ops | To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.