HIGH
hns3 VLAN Filter OOB
CVE-2025-71112
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID.
02KernelScan AI Analysis
Risk summary
A malicious or compromised Virtual Function can send invalid VLAN ID values to the Physical Function, causing out-of-bounds memory reads in the kernel. This could potentially lead to information disclosure or system instability. The vulnerability requires local access and the ability to control VF devices in SR-IOV configurations.
Vulnerability analysis
Root Cause: The hclge_set_vlan_filter() function accepts VLAN ID values from VF mailbox messages without validating that they are within the valid range (0 to VLAN_N_VID-1). The vlan_del_fail_bmap bitmap is allocated with size BITS_TO_LONGS(VLAN_N_VID), so accessing it with a VLAN ID >= VLAN_N_VID causes out-of-bounds memory access.
Attack Surface: This vulnerability is triggered through VF-to-PF mailbox communication in SR-IOV environments. An attacker would need to control a VF (Virtual Function) to send malicious VLAN configuration messages to the PF (Physical Function). This requires local access with sufficient privileges to interact with VF devices.
Fix Mechanism: The patch adds a simple bounds check at the beginning of hclge_set_vlan_filter() that returns -EINVAL if the vlan_id parameter is >= VLAN_N_VID, preventing any out-of-bounds access to the vlan_del_fail_bmap bitmap.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.248 | 46c7d9fe8dd8 |
| 5.15 | 5.15.198 | 42c91dfa772c |
| 6.1 | 6.1.160 | 00e56a7706e1 |
| 6.12 | 6.12.64 | 95cca255a7a5 |
| 6.18 | 6.18.3 | 91a51d01be5c |
| 6.6 | 6.6.120 | b7b4f3bf118f |
| mainline | 6.19 | 6ef935e65902 |