[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025070411-CVE-2025-38183-1283@gregkh>
Date: Fri, 4 Jul 2025 15:37:12 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38183: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()
Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value
is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8).
This seems correct and aligns with the PTP interrupt status register
(PTP_INT_STS) specifications.
However, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with
only LAN743X_PTP_N_EXTTS(4) elements, using channel as an index:
lan743x_ptp_io_event_clock_get(..., u8 channel,...)
{
...
/* Update Local timestamp */
extts = &ptp->extts[channel];
extts->ts.tv_sec = sec;
...
}
To avoid an out-of-bounds write and utilize all the supported GPIO
inputs, set LAN743X_PTP_N_EXTTS to 8.
Detected using the static analysis tool - Svace.
The Linux kernel CVE team has assigned CVE-2025-38183 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.18 with commit 60942c397af6094c04406b77982314dfe69ef3c4 and fixed in 6.1.142 with commit e8d48201a132f4aab31351c19a802c5a5ae820fa
Issue introduced in 5.18 with commit 60942c397af6094c04406b77982314dfe69ef3c4 and fixed in 6.6.95 with commit 66bba1fd5bad548c03f7e42669a59f3f4d8211cc
Issue introduced in 5.18 with commit 60942c397af6094c04406b77982314dfe69ef3c4 and fixed in 6.12.35 with commit 41017bd66c533f7af912c58273c7dfd5de0065d4
Issue introduced in 5.18 with commit 60942c397af6094c04406b77982314dfe69ef3c4 and fixed in 6.15.4 with commit 4da0d23516857230b8e9b3022e25422ee2e2ba80
Issue introduced in 5.18 with commit 60942c397af6094c04406b77982314dfe69ef3c4 and fixed in 6.16-rc3 with commit e353b0854d3a1a31cb061df8d022fbfea53a0f24
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38183
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/ethernet/microchip/lan743x_ptp.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/e8d48201a132f4aab31351c19a802c5a5ae820fa
https://git.kernel.org/stable/c/66bba1fd5bad548c03f7e42669a59f3f4d8211cc
https://git.kernel.org/stable/c/41017bd66c533f7af912c58273c7dfd5de0065d4
https://git.kernel.org/stable/c/4da0d23516857230b8e9b3022e25422ee2e2ba80
https://git.kernel.org/stable/c/e353b0854d3a1a31cb061df8d022fbfea53a0f24
Powered by blists - more mailing lists