Bug 2400604 (CVE-2025-39917) - CVE-2025-39917 kernel: bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt
Summary: CVE-2025-39917 kernel: bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt
Keywords:
Status: NEW
Alias: CVE-2025-39917
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-01 08:01 UTC by OSIDB Bzimport
Modified: 2025-10-03 15:49 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-01 08:01:59 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt

Stanislav reported that in bpf_crypto_crypt() the destination dynptr's
size is not validated to be at least as large as the source dynptr's
size before calling into the crypto backend with 'len = src_len'. This
can result in an OOB write when the destination is smaller than the
source.

Concretely, in mentioned function, psrc and pdst are both linear
buffers fetched from each dynptr:

  psrc = __bpf_dynptr_data(src, src_len);
  [...]
  pdst = __bpf_dynptr_data_rw(dst, dst_len);
  [...]
  err = decrypt ?
        ctx->type->decrypt(ctx->tfm, psrc, pdst, src_len, piv) :
        ctx->type->encrypt(ctx->tfm, psrc, pdst, src_len, piv);

The crypto backend expects pdst to be large enough with a src_len length
that can be written. Add an additional src_len > dst_len check and bail
out if it's the case. Note that these kfuncs are accessible under root
privileges only.
Comment 1 Alexander B 2025-10-02 10:55:41 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100112-CVE-2025-39917-b3a9@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.