| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061848-CVE-2025-38027-3bca@gregkh> Date: Wed, 18 Jun 2025 11:29:01 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38027: regulator: max20086: fix invalid memory access From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match. The Linux kernel CVE team has assigned CVE-2025-38027 to this issue. Affected and fixed versions =========================== Issue introduced in 5.17 with commit bfff546aae50ae68ed395bf0e0848188d27b0ba3 and fixed in 6.1.140 with commit 6ba30f7aa2c550b2ac04f16b81a19a8c045b8660 Issue introduced in 5.17 with commit bfff546aae50ae68ed395bf0e0848188d27b0ba3 and fixed in 6.6.92 with commit 7bddac8603d4e396872c2fbf4403ec08e7b1d7c8 Issue introduced in 5.17 with commit bfff546aae50ae68ed395bf0e0848188d27b0ba3 and fixed in 6.12.30 with commit d2a9a92bb4cc7568cff68241b0051dc7268bdc68 Issue introduced in 5.17 with commit bfff546aae50ae68ed395bf0e0848188d27b0ba3 and fixed in 6.14.8 with commit 5578ab04bd7732f470fc614bbc0a924900399fb8 Issue introduced in 5.17 with commit bfff546aae50ae68ed395bf0e0848188d27b0ba3 and fixed in 6.15 with commit 6b0cd72757c69bc2d45da42b41023e288d02e772 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38027 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/regulator/max20086-regulator.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/6ba30f7aa2c550b2ac04f16b81a19a8c045b8660 https://git.kernel.org/stable/c/7bddac8603d4e396872c2fbf4403ec08e7b1d7c8 https://git.kernel.org/stable/c/d2a9a92bb4cc7568cff68241b0051dc7268bdc68 https://git.kernel.org/stable/c/5578ab04bd7732f470fc614bbc0a924900399fb8 https://git.kernel.org/stable/c/6b0cd72757c69bc2d45da42b41023e288d02e772
Powered by blists - more mailing lists