CVE-2025-21678 - Resolved Linux Kernel Vulnerability: GTP Device Destruction with UDP Socket's Netns Dismantle

A vulnerability in the Linux kernel, specifically related to GTP devices and their relationship with UDP sockets, has been resolved. The issue pertains to gtp_newlink() function, which links the GTP device to a list in dev_net(dev) instead of src_net, where a UDP tunnel socket is created. Consequently, when src_net is removed, the GTP device remains alive on dev_net(dev), leading to the splat mentioned below. []

As an example, creating a GTP device gtp in ns2, and the UDP socket being created in ns1

ip netns add ns1
ip netns add ns2
ip -n ns1 link add netns ns2 name gtp type gtp role sgsn
ip netns del ns1

To resolve this issue, the GTP device should be linked to the socket's netns instead. This also requires another netdev iteration in gtp_net_exit_batch_rtnl() to remove all GTP devices in the netns.

The patch for this vulnerability can be found in the official Linux kernel repository: Kernel Patch

To get a better understanding of the affected code and its implications, you can refer to the following: Linux Kernel Mailing List

It is highly recommended that Linux kernel users apply this patch if you're working with versions affected by this vulnerability. Doing so will safeguard against potential issues with GTP devices and UDP sockets that could arise from the flawed configuration of the gtp_newlink().

Timeline

Published on: 01/31/2025 12:15:28 UTC
Last modified on: 02/02/2025 11:15:16 UTC