What is GHSA-hgc7-rqx4-p393?

GHSA-hgc7-rqx4-p393 is a security advisory published by GitHub Security Advisories with unknown severity. In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept...

Which CVE IDs does GHSA-hgc7-rqx4-p393 cover?

GHSA-hgc7-rqx4-p393 covers the following CVE IDs: CVE-2025-71304. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-hgc7-rqx4-p393unknown

In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept...

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 27, 2026

🔗 CVE IDs covered (1)

CVE-2025-71304 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

smack: /smack/doi: accept previously used values

Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g.

# cat /smack/doi
3
# netlabelctl -p cipso list
Configured CIPSO mappings (1)
 DOI value : 3
   mapping type : PASS_THROUGH
# netlabelctl -p map list
Configured NetLabel domain mappings (3)
 domain: "_" (IPv4)
   protocol: UNLABELED
 domain: DEFAULT (IPv4)
   protocol: CIPSO, DOI = 3
 domain: DEFAULT (IPv6)
   protocol: UNLABELED

# cat /smack/ambient
_
# cat /proc/$$/attr/smack/current
_
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms
# echo foo >/proc/$$/attr/smack/current
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms
unknown option 86

# echo 4 >/smack/doi
# echo 3 >/smack/doi

!> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17 # echo 3 >/smack/doi !> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17

# ping -c1 10.1.95.12

!!> ping: 10.1.95.12: Address family for hostname not supported

# echo _ >/proc/$$/attr/smack/current
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms

This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the “default” domain map:

# netlabelctl -p cipso list
Configured CIPSO mappings (2)
 DOI value : 3
   mapping type : PASS_THROUGH
 DOI value : 4
   mapping type : PASS_THROUGH
# netlabelctl -p map list
Configured NetLabel domain mappings (2)
 domain: "_" (IPv4)
   protocol: UNLABELED

!> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED

Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock.

Also:

allow /smack/doi to live unconfigured, since adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI
add new DOI before removing the old default map, so the old map remains if the add fails

(2008-02-04, Casey Schaufler)

🔗 CVE IDs covered (1)

📋 Description

🔗 References (10)