Bug 2363332 (CVE-2025-37749)

Summary: CVE-2025-37749 kernel: net: ppp: Add bound checking for skb data on ppp_sync_txmung
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, michael.h.hall-1, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An out-of-bounds read vulnerability exists in the ppp_sync_txmunge() function in the Linux kernel's PPP subsystem. Insufficient bounds checking on incoming PPP packets may lead to a kernel crash if a packet with an empty or truncated payload is processed.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-05-01 14:04:12 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: ppp: Add bound checking for skb data on ppp_sync_txmung

Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.

When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef➤  p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
	type = 0x1,
	ver = 0x1,
	code = 0x0,
	sid = 0x2,
        length = 0x0,
	tag = 0xffff8880371cdb96
}

from the skb struct (trimmed)
      tail = 0x16,
      end = 0x140,
      head = 0xffff88803346f400 "4",
      data = 0xffff88803346f416 ":\377",
      truesize = 0x380,
      len = 0x0,
      data_len = 0x0,
      mac_len = 0xe,
      hdr_len = 0x0,

it is not safe to access data[2].

[pabeni: fixed subj typo]
Comment 1 Avinash Hanwate 2025-05-02 07:02:16 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050136-CVE-2025-37749-0f49@gregkh/T
Comment 5 errata-xmlrpc 2025-05-19 03:26:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7903 https://access.redhat.com/errata/RHSA-2025:7903
Comment 6 errata-xmlrpc 2025-05-28 03:21:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:8248 https://access.redhat.com/errata/RHSA-2025:8248
Comment 10 errata-xmlrpc 2025-11-11 08:04:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:20095 https://access.redhat.com/errata/RHSA-2025:20095