CVE-2025-71304

Summary

In the Linux kernel, the following vulnerability has been resolved:

smack: /smack/doi: accept previously used values

Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g.

# cat /smack/doi
3
# netlabelctl -p cipso list
Configured CIPSO mappings (1)
 DOI value : 3
   mapping type : PASS_THROUGH
# netlabelctl -p map list
Configured NetLabel domain mappings (3)
 domain: "_" (IPv4)
   protocol: UNLABELED
 domain: DEFAULT (IPv4)
   protocol: CIPSO, DOI = 3
 domain: DEFAULT (IPv6)
   protocol: UNLABELED

# cat /smack/ambient
_
# cat /proc/$$/attr/smack/current
_
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms
# echo foo >/proc/$$/attr/smack/current
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms
unknown option 86

# echo 4 >/smack/doi
# echo 3 >/smack/doi

!> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17 # echo 3 >/smack/doi !> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17

# ping -c1 10.1.95.12

!!> ping: 10.1.95.12: Address family for hostname not supported

# echo _ >/proc/$$/attr/smack/current
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms

This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the “default” domain map:

# netlabelctl -p cipso list
Configured CIPSO mappings (2)
 DOI value : 3
   mapping type : PASS_THROUGH
 DOI value : 4
   mapping type : PASS_THROUGH
# netlabelctl -p map list
Configured NetLabel domain mappings (2)
 domain: "_" (IPv4)
   protocol: UNLABELED

!> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED

Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock.

Also:

  • allow /smack/doi to live unconfigured, since adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI
  • add new DOI before removing the old default map, so the old map remains if the add fails

(2008-02-04, Casey Schaufler)

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxe114e473771c848c3cfec05f0123e70f1cdbdc99 < eb718a3c8181ada679340db34cd61bce48e44749affected
LinuxLinuxe114e473771c848c3cfec05f0123e70f1cdbdc99 < 6ec091c5c7eeabd249a7c46813cad1e9f555f859affected
LinuxLinuxe114e473771c848c3cfec05f0123e70f1cdbdc99 < 199452f22d2f74b897fe826f81ec402b0a8461a0affected
LinuxLinuxe114e473771c848c3cfec05f0123e70f1cdbdc99 < 1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3affected
LinuxLinuxe114e473771c848c3cfec05f0123e70f1cdbdc99 < f8071500177f38cff38892bd85ac631cc6e010b2affected
LinuxLinuxe114e473771c848c3cfec05f0123e70f1cdbdc99 < 5a247a84de0ba44edbbd6be851c8a6b2aa60ff85affected
LinuxLinuxe114e473771c848c3cfec05f0123e70f1cdbdc99 < 8beebb8ad9a003f978e53b06237986588223e15eaffected
LinuxLinuxe114e473771c848c3cfec05f0123e70f1cdbdc99 < 33d589ed60ae433b483761987b85e0d24e54584eaffected
LinuxLinux2.6.25affected
LinuxLinux0 < 2.6.25unaffected
LinuxLinux5.10.252 <= 5.10.*unaffected
LinuxLinux5.15.202 <= 5.15.*unaffected
LinuxLinux6.1.165 <= 6.1.*unaffected
LinuxLinux6.6.128 <= 6.6.*unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.14 <= 6.18.*unaffected
LinuxLinux6.19.4 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References