We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-21922

ppp: Fix KMSAN uninit-value warning with bpf



Description

In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction. The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000

Reserved 2024-12-29 | Published 2025-04-01 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before d685096c8129c9a92689975193e268945fd21dbf
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 2f591cb158807bdcf424f66f1fbfa6e4e50f3757
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 4e2191b0fd0c064d37b0db67396216f2d4787e0f
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 3de809a768464528762757e433cd50de35bcb3c1
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 1eacd47636a9de5bee25d9d5962dc538a82d9f0b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 8aa8a40c766b3945b40565a70349d5581458ff63
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before c036f5f2680cbdabdbbace86baee3c83721634d6
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 4c2d14c40a68678d885eab4008a0129646805bae
affected

Default status
affected

2.6.12
affected

Any version before 2.6.12
unaffected

5.4.291
unaffected

5.10.235
unaffected

5.15.179
unaffected

6.1.131
unaffected

6.6.83
unaffected

6.12.19
unaffected

6.13.7
unaffected

6.14
unaffected

References

git.kernel.org/...c/d685096c8129c9a92689975193e268945fd21dbf

git.kernel.org/...c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757

git.kernel.org/...c/4e2191b0fd0c064d37b0db67396216f2d4787e0f

git.kernel.org/...c/3de809a768464528762757e433cd50de35bcb3c1

git.kernel.org/...c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b

git.kernel.org/...c/8aa8a40c766b3945b40565a70349d5581458ff63

git.kernel.org/...c/c036f5f2680cbdabdbbace86baee3c83721634d6

git.kernel.org/...c/4c2d14c40a68678d885eab4008a0129646805bae

cve.org (CVE-2025-21922)

nvd.nist.gov (CVE-2025-21922)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-21922

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.