Fixed
Created: Oct 23, 2025
Updated: Oct 26, 2025
Resolved Date: Oct 26, 2025
Found In Version: 10.21.20.1
Fix Version: 10.21.20.20
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]arm64: csum: Fix OoB access in IP checksum code for negative lengths[EOL][EOL]Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length[EOL]calls") added an early return for zero-length input, syzkaller has[EOL]popped up with an example of a _negative_ length which causes an[EOL]undefined shift and an out-of-bounds read:[EOL][EOL] ( BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39[EOL) | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975EOL] ([EOL) | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0EOL] ( Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023[EOL) | Call trace:EOL] ( dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233[EOL) | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240EOL] ( __dump_stack lib/dump_stack.c:88 [inline)EOL] ( dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106[EOL) | print_address_description mm/kasan/report.c:351 inline][EOL] ( print_report+0x174/0x514 mm/kasan/report.c:462[EOL) | kasan_report+0xd4/0x130 mm/kasan/report.c:572EOL] ( kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187[EOL) | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31EOL] ( do_csum+0x44/0x254 arch/arm64/lib/csum.c:39[EOL) | csum_partial+0x30/0x58 lib/checksum.c:128EOL] ( gso_make_checksum include/linux/skbuff.h:4928 [inline)EOL] ( __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332[EOL) | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47EOL] ( ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119[EOL) | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141EOL] ( __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401[EOL) | skb_gso_segment include/linux/netdevice.h:4859 inline][EOL] ( validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659[EOL) | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709EOL] ( sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327[EOL) | __dev_xmit_skb net/core/dev.c:3805 inline][EOL] ( __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210[EOL) | dev_queue_xmit include/linux/netdevice.h:3085 inline][EOL] ( packet_xmit+0x6c/0x318 net/packet/af_packet.c:276[EOL) | packet_snd net/packet/af_packet.c:3081 inline][EOL] ( packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113[EOL) | sock_sendmsg_nosec net/socket.c:724 inline][EOL] ( sock_sendmsg net/socket.c:747 [inline)EOL] ( __sys_sendto+0x3b4/0x538 net/socket.c:2144[EOL)[EOL]Extend the early return to reject negative lengths as well, aligning our[EOL]implementation with the generic code in lib/checksum.c
