CVE-2025-38463

{"id": "CVE-2025-38463", "cveTags": [], "metrics": {}, "published": "2025-07-25T16:15:32.253", "references": [{"url": "https://git.kernel.org/stable/c/62e6160cfb5514787bda833d466509edc38fde23", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/81373cd1d72d87c7d844d4454a526b8f53e72d00", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9f164fa6bb09fbcc60fa5c3ff551ce9eec1befd7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d3a5f2871adc0c61c61869f37f3e697d97f03d8c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Correct signedness in skb remaining space calculation\n\nSyzkaller reported a bug [1] where sk->sk_forward_alloc can overflow.\n\nWhen we send data, if an skb exists at the tail of the write queue, the\nkernel will attempt to append the new data to that skb. However, the code\nthat checks for available space in the skb is flawed:\n'''\ncopy = size_goal - skb->len\n'''\n\nThe types of the variables involved are:\n'''\ncopy: ssize_t (s64 on 64-bit systems)\nsize_goal: int\nskb->len: unsigned int\n'''\n\nDue to C's type promotion rules, the signed size_goal is converted to an\nunsigned int to match skb->len before the subtraction. The result is an\nunsigned int.\n\nWhen this unsigned int result is then assigned to the s64 copy variable,\nit is zero-extended, preserving its non-negative value. Consequently, copy\nis always >= 0.\n\nAssume we are sending 2GB of data and size_goal has been adjusted to a\nvalue smaller than skb->len. The subtraction will result in copy holding a\nvery large positive integer. In the subsequent logic, this large value is\nused to update sk->sk_forward_alloc, which can easily cause it to overflow.\n\nThe syzkaller reproducer uses TCP_REPAIR to reliably create this\ncondition. However, this can also occur in real-world scenarios. The\ntcp_bound_to_half_wnd() function can also reduce size_goal to a small\nvalue. This would cause the subsequent tcp_wmem_schedule() to set\nsk->sk_forward_alloc to a value close to INT_MAX. Further memory\nallocation requests would then cause sk_forward_alloc to wrap around and\nbecome negative.\n\n[1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: Correcto signado en el c\u00e1lculo del espacio restante de skb Syzkaller inform\u00f3 de un error [1] en el que sk->sk_forward_alloc puede desbordarse. Al enviar datos, si existe un skb al final de la cola de escritura, el kernel intentar\u00e1 a\u00f1adir los nuevos datos a ese skb. Sin embargo, el c\u00f3digo que comprueba el espacio disponible en el skb presenta un fallo: ''' copy = size_goal - skb->len ''' Los tipos de las variables implicadas son: ''' copy: ssize_t (s64 en sistemas de 64 bits) size_goal: int skb->len: unsigned int ''' Debido a las reglas de promoci\u00f3n de tipos de C, el signed size_goal se convierte en un unsigned int para que coincida con skb->len antes de la resta. El resultado es un unsigned int. Cuando este resultado entero sin signo se asigna a la variable de copia s64, se extiende a cero, conservando su valor no negativo. Por lo tanto, la copia siempre es >= 0. Supongamos que enviamos 2 GB de datos y que size_goal se ha ajustado a un valor menor que skb->len. La resta har\u00e1 que la copia contenga un entero positivo muy grande. En la l\u00f3gica subsiguiente, este valor alto se utiliza para actualizar sk->sk_forward_alloc, lo que puede provocar f\u00e1cilmente un desbordamiento. El reproductor syzkaller utiliza TCP_REPAIR para crear esta condici\u00f3n de forma fiable. Sin embargo, esto tambi\u00e9n puede ocurrir en situaciones reales. La funci\u00f3n tcp_bound_to_half_wnd() tambi\u00e9n puede reducir size_goal a un valor peque\u00f1o. Esto provocar\u00eda que la funci\u00f3n tcp_wmem_schedule() posterior estableciera sk->sk_forward_alloc en un valor cercano a INT_MAX. Las solicitudes de asignaci\u00f3n de memoria adicionales har\u00edan que sk_forward_alloc se repita y se vuelva negativo. [1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47"}], "lastModified": "2025-07-29T14:14:55.157", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}