CVE-2025-21921

Description

In the Linux kernel, the following vulnerability has been resolved: net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device ethnl_req_get_phydev() is used to lookup a phy_device, in the case an ethtool netlink command targets a specific phydev within a netdev's topology. It takes as a parameter a const struct nlattr *header that's used for error handling : if (!phydev) { NL_SET_ERR_MSG_ATTR(extack, header, "no phy matching phyindex"); return ERR_PTR(-ENODEV); } In the notify path after a ->set operation however, there's no request attributes available. The typical callsite for the above function looks like: phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER], info->extack); So, when tb is NULL (such as in the ethnl notify path), we have a nice crash. It turns out that there's only the PLCA command that is in that case, as the other phydev-specific commands don't have a notification. This commit fixes the crash by passing the cmd index and the nlattr array separately, allowing NULL-checking it directly inside the helper.

Reserved 2024-12-29 | Published 2025-04-01 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

c15e065b46dc4e19837275b826c1960d55564abd before 639c70352958735addbba5ae7dd65985da96e061
affected

c15e065b46dc4e19837275b826c1960d55564abd before 1f458fa42c29144cef280e05bc49fc21b873d897
affected

c15e065b46dc4e19837275b826c1960d55564abd before 637399bf7e77797811adf340090b561a8f9d1213
affected

Default status
affected

6.12
affected

Any version before 6.12
unaffected

6.12.19
unaffected

6.13.7
unaffected

6.14
unaffected

References

git.kernel.org/...c/639c70352958735addbba5ae7dd65985da96e061

git.kernel.org/...c/1f458fa42c29144cef280e05bc49fc21b873d897

git.kernel.org/...c/637399bf7e77797811adf340090b561a8f9d1213

cve.org (CVE-2025-21921)

nvd.nist.gov (CVE-2025-21921)

Download JSON