Acknowledged
Created: Jul 7, 2025
Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]atm: atmtcp: Free invalid length skb in atmtcp_c_send().[EOL][EOL]syzbot reported the splat below. [0][EOL][EOL]vcc_sendmsg() copies data passed from userspace to skb and passes[EOL]it to vcc->dev->ops->send().[EOL][EOL]atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after[EOL]checking if skb->len is 0, but it's not enough.[EOL][EOL]Also, when skb->len == 0, skb and sk (vcc) were leaked because[EOL]dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing[EOL]to revert atm_account_tx() in vcc_sendmsg(), which is expected[EOL]to be done in atm_pop_raw().[EOL][EOL]Let's properly free skb with an invalid length in atmtcp_c_send().[EOL][EOL][0]:[EOL]BUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294[EOL] atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294[EOL] vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644[EOL] sock_sendmsg_nosec net/socket.c:712 [inline][EOL] __sock_sendmsg+0x330/0x3d0 net/socket.c:727[EOL] ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566[EOL] ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620[EOL] __sys_sendmsg net/socket.c:2652 [inline][EOL] __do_sys_sendmsg net/socket.c:2657 [inline][EOL] __se_sys_sendmsg net/socket.c:2655 [inline][EOL] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655[EOL] x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47[EOL] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline][EOL] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL][EOL]Uninit was created at:[EOL] slab_post_alloc_hook mm/slub.c:4154 [inline][EOL] slab_alloc_node mm/slub.c:4197 [inline][EOL] kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249[EOL] kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579[EOL] __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670[EOL] alloc_skb include/linux/skbuff.h:1336 [inline][EOL] vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628[EOL] sock_sendmsg_nosec net/socket.c:712 [inline][EOL] __sock_sendmsg+0x330/0x3d0 net/socket.c:727[EOL] ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566[EOL] ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620[EOL] __sys_sendmsg net/socket.c:2652 [inline][EOL] __do_sys_sendmsg net/socket.c:2657 [inline][EOL] __se_sys_sendmsg net/socket.c:2655 [inline][EOL] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655[EOL] x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47[EOL] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline][EOL] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL][EOL]CPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)[EOL]Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
CREATE(Triage):(User=admin) [CVE-2025-38185 (https://nvd.nist.gov/vuln/detail/CVE-2025-38185)
