| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025062801-CVE-2025-38086-783b@gregkh>
Date: Sat, 28 Jun 2025 09:53:02 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38086: net: ch9200: fix uninitialised access during mii_nway_restart
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: ch9200: fix uninitialised access during mii_nway_restart
In mii_nway_restart() the code attempts to call
mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()
utilises a local buffer called "buff", which is initialised
with control_read(). However "buff" is conditionally
initialised inside control_read():
if (err == size) {
memcpy(data, buf, size);
}
If the condition of "err == size" is not met, then
"buff" remains uninitialised. Once this happens the
uninitialised "buff" is accessed and returned during
ch9200_mdio_read():
return (buff[0] | buff[1] << 8);
The problem stems from the fact that ch9200_mdio_read()
ignores the return value of control_read(), leading to
uinit-access of "buff".
To fix this we should check the return value of
control_read() and return early on error.
The Linux kernel CVE team has assigned CVE-2025-38086 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.3 with commit 4a476bd6d1d923922ec950ddc4c27b279f6901eb and fixed in 5.4.295 with commit 119766de4930ff40db9f36b960cb53b0c400e81b
Issue introduced in 4.3 with commit 4a476bd6d1d923922ec950ddc4c27b279f6901eb and fixed in 5.10.239 with commit 33163c68d2e3061fa3935b5f0a1867958b1cdbd2
Issue introduced in 4.3 with commit 4a476bd6d1d923922ec950ddc4c27b279f6901eb and fixed in 5.15.186 with commit 9da3e442714f7f4393ff01c265c4959c03e88c2f
Issue introduced in 4.3 with commit 4a476bd6d1d923922ec950ddc4c27b279f6901eb and fixed in 6.1.142 with commit 9a350f30d65197354706b7759b5c89d6c267b1a9
Issue introduced in 4.3 with commit 4a476bd6d1d923922ec950ddc4c27b279f6901eb and fixed in 6.6.95 with commit 6bd2569d0b2f918e9581f744df0263caf73ee76c
Issue introduced in 4.3 with commit 4a476bd6d1d923922ec950ddc4c27b279f6901eb and fixed in 6.12.35 with commit 4da7fcc098218ff92b2e83a43f545c02f714cedd
Issue introduced in 4.3 with commit 4a476bd6d1d923922ec950ddc4c27b279f6901eb and fixed in 6.15.4 with commit cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72
Issue introduced in 4.3 with commit 4a476bd6d1d923922ec950ddc4c27b279f6901eb and fixed in 6.16-rc1 with commit 9ad0452c0277b816a435433cca601304cfac7c21
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38086
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/usb/ch9200.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/119766de4930ff40db9f36b960cb53b0c400e81b
https://git.kernel.org/stable/c/33163c68d2e3061fa3935b5f0a1867958b1cdbd2
https://git.kernel.org/stable/c/9da3e442714f7f4393ff01c265c4959c03e88c2f
https://git.kernel.org/stable/c/9a350f30d65197354706b7759b5c89d6c267b1a9
https://git.kernel.org/stable/c/6bd2569d0b2f918e9581f744df0263caf73ee76c
https://git.kernel.org/stable/c/4da7fcc098218ff92b2e83a43f545c02f714cedd
https://git.kernel.org/stable/c/cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72
https://git.kernel.org/stable/c/9ad0452c0277b816a435433cca601304cfac7c21
Powered by blists - more mailing lists