CVE-2025-37864

{"id": "CVE-2025-37864", "cveTags": [], "metrics": {}, "published": "2025-05-09T07:16:07.410", "references": [{"url": "https://git.kernel.org/stable/c/7afb5fb42d4950f33af2732b8147c552659f79b7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86c6613a69bca815f1865ed8cedfd4b9142621ab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8fcc1e6f808912977caf17366c625b95dc29ba4f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/99c50c98803425378e08a7394dc885506dc85f06", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: clean up FDB, MDB, VLAN entries on unbind\n\nAs explained in many places such as commit b117e1e8a86d (\"net: dsa:\ndelete dsa_legacy_fdb_add and dsa_legacy_fdb_del\"), DSA is written given\nthe assumption that higher layers have balanced additions/deletions.\nAs such, it only makes sense to be extremely vocal when those\nassumptions are violated and the driver unbinds with entries still\npresent.\n\nBut Ido Schimmel points out a very simple situation where that is wrong:\nhttps://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/\n(also briefly discussed by me in the aforementioned commit).\n\nBasically, while the bridge bypass operations are not something that DSA\nexplicitly documents, and for the majority of DSA drivers this API\nsimply causes them to go to promiscuous mode, that isn't the case for\nall drivers. Some have the necessary requirements for bridge bypass\noperations to do something useful - see dsa_switch_supports_uc_filtering().\n\nAlthough in tools/testing/selftests/net/forwarding/local_termination.sh,\nwe made an effort to popularize better mechanisms to manage address\nfilters on DSA interfaces from user space - namely macvlan for unicast,\nand setsockopt(IP_ADD_MEMBERSHIP) - through mtools - for multicast, the\nfact is that 'bridge fdb add ... self static local' also exists as\nkernel UAPI, and might be useful to someone, even if only for a quick\nhack.\n\nIt seems counter-productive to block that path by implementing shim\n.ndo_fdb_add and .ndo_fdb_del operations which just return -EOPNOTSUPP\nin order to prevent the ndo_dflt_fdb_add() and ndo_dflt_fdb_del() from\nrunning, although we could do that.\n\nAccepting that cleanup is necessary seems to be the only option.\nEspecially since we appear to be coming back at this from a different\nangle as well. Russell King is noticing that the WARN_ON() triggers even\nfor VLANs:\nhttps://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/\n\nWhat happens in the bug report above is that dsa_port_do_vlan_del() fails,\nthen the VLAN entry lingers on, and then we warn on unbind and leak it.\n\nThis is not a straight revert of the blamed commit, but we now add an\ninformational print to the kernel log (to still have a way to see\nthat bugs exist), and some extra comments gathered from past years'\nexperience, to justify the logic."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: clean up FDB, MDB, VLAN entries on unbind Como se explica en muchos lugares como la confirmaci\u00f3n b117e1e8a86d (\"net: dsa: delete dsa_legacy_fdb_add y dsa_legacy_fdb_del\"), DSA se escribe asumiendo que las capas superiores tienen adiciones/eliminaciones equilibradas. Como tal, solo tiene sentido ser extremadamente vocal cuando se violan esas suposiciones y el controlador se desvincula con entradas a\u00fan presentes. Pero Ido Schimmel se\u00f1ala una situaci\u00f3n muy simple donde eso es incorrecto: https://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/ (tambi\u00e9n discutido brevemente por m\u00ed en la confirmaci\u00f3n mencionada anteriormente). B\u00e1sicamente, mientras que las operaciones de bypass de puente no son algo que DSA documente expl\u00edcitamente, y para la mayor\u00eda de los controladores DSA esta API simplemente hace que pasen al modo promiscuo, ese no es el caso para todos los controladores. Algunos requisitos para que las operaciones de bypass de puente sean \u00fatiles (v\u00e9ase dsa_switch_supports_uc_filtering()). Si bien en tools/testing/selftests/net/forwarding/local_termination.sh nos esforzamos por popularizar mejores mecanismos para gestionar filtros de direcciones en interfaces DSA desde el espacio de usuario (en concreto, macvlan para unidifusi\u00f3n y setsockopt(IP_ADD_MEMBERSHIP) mediante mtools para multidifusi\u00f3n), lo cierto es que \u00abbridge fdb add ... self static local\u00bb tambi\u00e9n existe como UAPI del kernel y podr\u00eda ser \u00fatil, aunque solo sea para una modificaci\u00f3n r\u00e1pida. Parece contraproducente bloquear esa ruta implementando operaciones de shim .ndo_fdb_add y .ndo_fdb_del, que simplemente devuelven -EOPNOTSUPP para impedir la ejecuci\u00f3n de ndo_dflt_fdb_add() y ndo_dflt_fdb_del(), aunque podr\u00edamos hacerlo. Aceptar la necesidad de una depuraci\u00f3n parece ser la \u00fanica opci\u00f3n. Sobre todo porque parece que tambi\u00e9n estamos abordando este tema desde una perspectiva diferente. Russell King observa que la funci\u00f3n WARN_ON() se activa incluso para las VLAN: https://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/ Lo que ocurre en el informe de error anterior es que dsa_port_do_vlan_del() falla, la entrada de la VLAN persiste y, a continuaci\u00f3n, advertimos sobre la desvinculaci\u00f3n y la filtramos. Esto no es una reversi\u00f3n directa de la confirmaci\u00f3n criticada, sino que ahora a\u00f1adimos una impresi\u00f3n informativa al registro del kernel (para seguir viendo la existencia de errores) y algunos comentarios adicionales recopilados de a\u00f1os anteriores para justificar la l\u00f3gica."}], "lastModified": "2025-05-12T17:32:32.760", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}