Wind River Support Network

HomeDefectsLIN1024-13939
Acknowledged

LIN1024-13939 : Security Advisory - linux - CVE-2025-68301

Created: Dec 16, 2025    Updated: Dec 18, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]net: atlantic: fix fragment overflow handling in RX path[EOL][EOL]The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)[EOL]fragments when handling large multi-descriptor packets. This causes an[EOL]out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.[EOL][EOL]The issue occurs because the driver doesn't check the total number of[EOL]fragments before calling skb_add_rx_frag(). When a packet requires more[EOL]than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.[EOL][EOL]Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,[EOL]then all fragments are accounted for. And reusing the existing check to[EOL]prevent the overflow earlier in the code path.[EOL][EOL]This crash occurred in production with an Aquantia AQC113 10G NIC.[EOL][EOL]Stack trace from production environment:[EOL]```[EOL]RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0[EOL]Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89[EOL]ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90[EOL]c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48[EOL]89 fa 83[EOL]RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287[EOL]RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:[EOL]fffffffe0a0c8000[EOL]RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:[EOL]0000000000037a40[EOL]RBP: 0000000000000024 R08: 0000000000000000 R09:[EOL]0000000000000021[EOL]R10: 0000000000000848 R11: 0000000000000000 R12:[EOL]ffffa9bec02a8e24[EOL]R13: ffff925ad8615570 R14: 0000000000000000 R15:[EOL]ffff925b22e80a00[EOL]FS: 0000000000000000(0000)[EOL]GS:ffff925e47880000(0000) knlGS:0000000000000000[EOL]CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:[EOL]0000000000f72ef0[EOL]PKRU: 55555554[EOL]Call Trace:[EOL]<IRQ>[EOL]aq_ring_rx_clean+0x175/0xe60 [atlantic][EOL]? aq_ring_rx_clean+0x14d/0xe60 [atlantic][EOL]? aq_ring_tx_clean+0xdf/0x190 [atlantic][EOL]? kmem_cache_free+0x348/0x450[EOL]? aq_vec_poll+0x81/0x1d0 [atlantic][EOL]? __napi_poll+0x28/0x1c0[EOL]? net_rx_action+0x337/0x420[EOL]```[EOL][EOL]Changes in v4:[EOL]- Add Fixes: tag to satisfy patch validation requirements.[EOL][EOL]Changes in v3:[EOL]- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,[EOL]  then all fragments are accounted for.
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube