| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025052046-CVE-2025-37974-adfa@gregkh> Date: Tue, 20 May 2025 18:45:53 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix missing check for zpci_create_device() error return The zpci_create_device() function returns an error pointer that needs to be checked before dereferencing it as a struct zpci_dev pointer. Add the missing check in __clp_add() where it was missed when adding the scan_list in the fixed commit. Simply not adding the device to the scan list results in the previous behavior. The Linux kernel CVE team has assigned CVE-2025-37974 to this issue. Affected and fixed versions =========================== Issue introduced in 6.12.5 with commit 1f3b309108fd0660ea8614a72328ba866ccd3378 and fixed in 6.12.29 with commit be54b750c333a9db7c3b3686846bb06b07b011fe Issue introduced in 6.13 with commit 0467cdde8c4320bbfdb31a8cff1277b202f677fc and fixed in 6.14.7 with commit 2769b718e164df983c20c314b263a71a699be6cd Issue introduced in 6.13 with commit 0467cdde8c4320bbfdb31a8cff1277b202f677fc and fixed in 6.15-rc6 with commit 42420c50c68f3e95e90de2479464f420602229fc Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-37974 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/s390/pci/pci_clp.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/be54b750c333a9db7c3b3686846bb06b07b011fe https://git.kernel.org/stable/c/2769b718e164df983c20c314b263a71a699be6cd https://git.kernel.org/stable/c/42420c50c68f3e95e90de2479464f420602229fc
Powered by blists - more mailing lists