lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025071029-CVE-2025-38320-4e71@gregkh>
Date: Thu, 10 Jul 2025 10:15:28 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38320: arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()

KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth().

Call Trace:
[   97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8
[   97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550
[   97.285732]
[   97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11
[   97.287032] Hardware name: linux,dummy-virt (DT)
[   97.287815] Call trace:
[   97.288279]  dump_backtrace+0xa0/0x128
[   97.288946]  show_stack+0x20/0x38
[   97.289551]  dump_stack_lvl+0x78/0xc8
[   97.290203]  print_address_description.constprop.0+0x84/0x3c8
[   97.291159]  print_report+0xb0/0x280
[   97.291792]  kasan_report+0x84/0xd0
[   97.292421]  __asan_load8+0x9c/0xc0
[   97.293042]  regs_get_kernel_stack_nth+0xa8/0xc8
[   97.293835]  process_fetch_insn+0x770/0xa30
[   97.294562]  kprobe_trace_func+0x254/0x3b0
[   97.295271]  kprobe_dispatcher+0x98/0xe0
[   97.295955]  kprobe_breakpoint_handler+0x1b0/0x210
[   97.296774]  call_break_hook+0xc4/0x100
[   97.297451]  brk_handler+0x24/0x78
[   97.298073]  do_debug_exception+0xac/0x178
[   97.298785]  el1_dbg+0x70/0x90
[   97.299344]  el1h_64_sync_handler+0xcc/0xe8
[   97.300066]  el1h_64_sync+0x78/0x80
[   97.300699]  kernel_clone+0x0/0x500
[   97.301331]  __arm64_sys_clone+0x70/0x90
[   97.302084]  invoke_syscall+0x68/0x198
[   97.302746]  el0_svc_common.constprop.0+0x11c/0x150
[   97.303569]  do_el0_svc+0x38/0x50
[   97.304164]  el0_svc+0x44/0x1d8
[   97.304749]  el0t_64_sync_handler+0x100/0x130
[   97.305500]  el0t_64_sync+0x188/0x190
[   97.306151]
[   97.306475] The buggy address belongs to stack of task 1.sh/2550
[   97.307461]  and is located at offset 0 in frame:
[   97.308257]  __se_sys_clone+0x0/0x138
[   97.308910]
[   97.309241] This frame has 1 object:
[   97.309873]  [48, 184) 'args'
[   97.309876]
[   97.310749] The buggy address belongs to the virtual mapping at
[   97.310749]  [ffff800089270000, ffff800089279000) created by:
[   97.310749]  dup_task_struct+0xc0/0x2e8
[   97.313347]
[   97.313674] The buggy address belongs to the physical page:
[   97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a
[   97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff)
[   97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000
[   97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   97.319445] page dumped because: kasan: bad access detected
[   97.320371]
[   97.320694] Memory state around the buggy address:
[   97.321511]  ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   97.322681]  ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00
[   97.325023]                          ^
[   97.325683]  ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3
[   97.326856]  ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00

This issue seems to be related to the behavior of some gcc compilers and
was also fixed on the s390 architecture before:

 commit d93a855c31b7 ("s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()")

As described in that commit, regs_get_kernel_stack_nth() has confirmed that
`addr` is on the stack, so reading the value at `*addr` should be allowed.
Use READ_ONCE_NOCHECK() helper to silence the KASAN check for this case.

[will: Use '*addr' as the argument to READ_ONCE_NOCHECK()]

The Linux kernel CVE team has assigned CVE-2025-38320 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.8 with commit 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 and fixed in 5.4.295 with commit 64773b3ea09235168a549a195cba43bb867c4a17
	Issue introduced in 4.8 with commit 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 and fixed in 5.10.239 with commit 67abac27d806e8f9d4226ec1528540cf73af673a
	Issue introduced in 4.8 with commit 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 and fixed in 5.15.186 with commit 92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38
	Issue introduced in 4.8 with commit 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 and fixed in 6.1.142 with commit 01f91d415a8375d85e0c7d3615cd4a168308bb7c
	Issue introduced in 4.8 with commit 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 and fixed in 6.6.95 with commit 21da6d3561f373898349ca7167c9811c020da695
	Issue introduced in 4.8 with commit 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 and fixed in 6.12.35 with commit 22f935bc86bdfbde04009f05eee191d220cd8c89
	Issue introduced in 4.8 with commit 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 and fixed in 6.15.4 with commit 422e565b7889ebfd9c8705a3fc786642afe61fca
	Issue introduced in 4.8 with commit 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 and fixed in 6.16-rc3 with commit 39dfc971e42d886e7df01371cd1bef505076d84c

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38320
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	arch/arm64/kernel/ptrace.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/64773b3ea09235168a549a195cba43bb867c4a17
	https://git.kernel.org/stable/c/67abac27d806e8f9d4226ec1528540cf73af673a
	https://git.kernel.org/stable/c/92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38
	https://git.kernel.org/stable/c/01f91d415a8375d85e0c7d3615cd4a168308bb7c
	https://git.kernel.org/stable/c/21da6d3561f373898349ca7167c9811c020da695
	https://git.kernel.org/stable/c/22f935bc86bdfbde04009f05eee191d220cd8c89
	https://git.kernel.org/stable/c/422e565b7889ebfd9c8705a3fc786642afe61fca
	https://git.kernel.org/stable/c/39dfc971e42d886e7df01371cd1bef505076d84c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ