CVE-2025-68340 (GCVE-0-2025-68340)

Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
Title
team: Move team device type change at the end of team_port_add
Summary
In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_type_check_change. Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense as the private data of the device still holds a struct team. Example sequence of iproute2 commands to reproduce the hang/BUG(): ip link add dev team0 type team ip link add dev gre0 type gre ip link set dev gre0 up ip link set dev gre0 master team0 ip link set dev team0 up ping -I team0 1.1.1.1 Move team_dev_type_check_change down where all other checks have passed as it changes the dev type with no way to restore it in case one of the checks that follow it fail. Also make sure to preserve the origial mtu assignment: - If port_dev is not the same type as dev, dev takes mtu from port_dev - If port_dev is the same type as dev, port_dev takes mtu from dev This is done by adding a conditional before the call to dev_set_mtu to prevent it from assigning port_dev->mtu = dev->mtu and instead letting team_dev_type_check_change assign dev->mtu = port_dev->mtu. The conditional is needed because the patch moves the call to team_dev_type_check_change past dev_set_mtu. Testing: - team device driver in-tree selftests - Add/remove various devices as slaves of team device - syzbot
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < 4040b5e8963982a00aa821300cb746efc9f2947e (git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < e3eed4f038214494af62c7d2d64749e5108ce6ca (git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef (git)
Create a notification for this product.
    Linux Linux Affected: 3.7
Unaffected: 0 , < 3.7 (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/team/team_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4040b5e8963982a00aa821300cb746efc9f2947e",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            },
            {
              "lessThan": "e3eed4f038214494af62c7d2d64749e5108ce6ca",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            },
            {
              "lessThan": "0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/team/team_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "lessThan": "3.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: Move team device type change at the end of team_port_add\n\nAttempting to add a port device that is already up will expectedly fail,\nbut not before modifying the team device header_ops.\n\nIn the case of the syzbot reproducer the gre0 device is\nalready in state UP when it attempts to add it as a\nport device of team0, this fails but before that\nheader_ops-\u003ecreate of team0 is changed from eth_header to ipgre_header\nin the call to team_dev_type_check_change.\n\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\nas the private data of the device still holds a struct team.\n\nExample sequence of iproute2 commands to reproduce the hang/BUG():\nip link add dev team0 type team\nip link add dev gre0 type gre\nip link set dev gre0 up\nip link set dev gre0 master team0\nip link set dev team0 up\nping -I team0 1.1.1.1\n\nMove team_dev_type_check_change down where all other checks have passed\nas it changes the dev type with no way to restore it in case\none of the checks that follow it fail.\n\nAlso make sure to preserve the origial mtu assignment:\n  - If port_dev is not the same type as dev, dev takes mtu from port_dev\n  - If port_dev is the same type as dev, port_dev takes mtu from dev\n\nThis is done by adding a conditional before the call to dev_set_mtu\nto prevent it from assigning port_dev-\u003emtu = dev-\u003emtu and instead\nletting team_dev_type_check_change assign dev-\u003emtu = port_dev-\u003emtu.\nThe conditional is needed because the patch moves the call to\nteam_dev_type_check_change past dev_set_mtu.\n\nTesting:\n  - team device driver in-tree selftests\n  - Add/remove various devices as slaves of team device\n  - syzbot"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:58:25.841Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef"
        }
      ],
      "title": "team: Move team device type change at the end of team_port_add",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68340",
    "datePublished": "2025-12-23T13:58:25.841Z",
    "dateReserved": "2025-12-16T14:48:05.297Z",
    "dateUpdated": "2025-12-23T13:58:25.841Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68340\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-23T14:16:40.580\",\"lastModified\":\"2025-12-23T14:51:52.650\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nteam: Move team device type change at the end of team_port_add\\n\\nAttempting to add a port device that is already up will expectedly fail,\\nbut not before modifying the team device header_ops.\\n\\nIn the case of the syzbot reproducer the gre0 device is\\nalready in state UP when it attempts to add it as a\\nport device of team0, this fails but before that\\nheader_ops-\u003ecreate of team0 is changed from eth_header to ipgre_header\\nin the call to team_dev_type_check_change.\\n\\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\\nas the private data of the device still holds a struct team.\\n\\nExample sequence of iproute2 commands to reproduce the hang/BUG():\\nip link add dev team0 type team\\nip link add dev gre0 type gre\\nip link set dev gre0 up\\nip link set dev gre0 master team0\\nip link set dev team0 up\\nping -I team0 1.1.1.1\\n\\nMove team_dev_type_check_change down where all other checks have passed\\nas it changes the dev type with no way to restore it in case\\none of the checks that follow it fail.\\n\\nAlso make sure to preserve the origial mtu assignment:\\n  - If port_dev is not the same type as dev, dev takes mtu from port_dev\\n  - If port_dev is the same type as dev, port_dev takes mtu from dev\\n\\nThis is done by adding a conditional before the call to dev_set_mtu\\nto prevent it from assigning port_dev-\u003emtu = dev-\u003emtu and instead\\nletting team_dev_type_check_change assign dev-\u003emtu = port_dev-\u003emtu.\\nThe conditional is needed because the patch moves the call to\\nteam_dev_type_check_change past dev_set_mtu.\\n\\nTesting:\\n  - team device driver in-tree selftests\\n  - Add/remove various devices as slaves of team device\\n  - syzbot\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.