| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025063055-CVE-2025-38090-52ef@gregkh>
Date: Mon, 30 Jun 2025 09:29:54 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38090: drivers/rapidio/rio_cm.c: prevent possible heap overwrite
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
drivers/rapidio/rio_cm.c: prevent possible heap overwrite
In
riocm_cdev_ioctl(RIO_CM_CHAN_SEND)
-> cm_chan_msg_send()
-> riocm_ch_send()
cm_chan_msg_send() checks that userspace didn't send too much data but
riocm_ch_send() failed to check that userspace sent sufficient data. The
result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr
which were outside the bounds of the space which cm_chan_msg_send()
allocated.
Address this by teaching riocm_ch_send() to check that the entire
rio_ch_chan_hdr was copied in from userspace.
The Linux kernel CVE team has assigned CVE-2025-38090 to this issue.
Affected and fixed versions
===========================
Fixed in 5.4.295 with commit a8b5ea2e302aa5cd00fc7addd8df53c9bde7b5f6
Fixed in 5.10.239 with commit c03ddc183249f03fc7e057e02cae6f89144d0123
Fixed in 5.15.186 with commit 58f664614f8c3d6142ab81ae551e466dc6e092e8
Fixed in 6.1.142 with commit ecf5ee280b702270afb02f61b299d3dfe3ec7730
Fixed in 6.6.95 with commit 1921781ec4a8824bd0c520bf9363e28a880d14ec
Fixed in 6.12.35 with commit 1cce6ac47f4a2ac1766b8a188dc8c8f6d8df2a53
Fixed in 6.15.4 with commit 6d5c6711a55c35ce09b90705546050408d9d4b61
Fixed in 6.16-rc2 with commit 50695153d7ddde3b1696dbf0085be0033bf3ddb3
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38090
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/rapidio/rio_cm.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/a8b5ea2e302aa5cd00fc7addd8df53c9bde7b5f6
https://git.kernel.org/stable/c/c03ddc183249f03fc7e057e02cae6f89144d0123
https://git.kernel.org/stable/c/58f664614f8c3d6142ab81ae551e466dc6e092e8
https://git.kernel.org/stable/c/ecf5ee280b702270afb02f61b299d3dfe3ec7730
https://git.kernel.org/stable/c/1921781ec4a8824bd0c520bf9363e28a880d14ec
https://git.kernel.org/stable/c/1cce6ac47f4a2ac1766b8a188dc8c8f6d8df2a53
https://git.kernel.org/stable/c/6d5c6711a55c35ce09b90705546050408d9d4b61
https://git.kernel.org/stable/c/50695153d7ddde3b1696dbf0085be0033bf3ddb3
Powered by blists - more mailing lists