Bug 2422728 (CVE-2025-68200) - CVE-2025-68200 kernel: bpf: Add bpf_prog_run_data_pointers()
Summary: CVE-2025-68200 kernel: bpf: Add bpf_prog_run_data_pointers()
Keywords:
Status: NEW
Alias: CVE-2025-68200
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-16 14:06 UTC by OSIDB Bzimport
Modified: 2025-12-17 00:17 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-16 14:06:53 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: Add bpf_prog_run_data_pointers()

syzbot found that cls_bpf_classify() is able to change
tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().

WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214

struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
Extend qdisc control block with tc control block"), which added a wrong
interaction with db58ba459202 ("bpf: wire in data and data_end for
cls_act_bpf").

drop_reason was added later.

Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
storage colliding with BPF data_meta/data_end.
Comment 1 Alexander B 2025-12-17 00:14:02 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025121630-CVE-2025-68200-3bbb@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.