| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025081922-CVE-2025-38607-c6ce@gregkh> Date: Tue, 19 Aug 2025 19:18:53 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38607: bpf: handle jset (if a & b ...) as a jump in CFG computation From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: bpf: handle jset (if a & b ...) as a jump in CFG computation BPF_JSET is a conditional jump and currently verifier.c:can_jump() does not know about that. This can lead to incorrect live registers and SCC computation. E.g. in the following example: 1: r0 = 1; 2: r2 = 2; 3: if r1 & 0x7 goto +1; 4: exit; 5: r0 = r2; 6: exit; W/o this fix insn_successors(3) will return only (4), a jump to (5) would be missed and r2 won't be marked as alive at (3). The Linux kernel CVE team has assigned CVE-2025-38607 to this issue. Affected and fixed versions =========================== Issue introduced in 6.15 with commit 14c8552db64476ffc27c13dc6652fc0dac31c0ba and fixed in 6.15.10 with commit 65eb166b8636365ad3d6e36d50a7c5edfe6cc66e Issue introduced in 6.15 with commit 14c8552db64476ffc27c13dc6652fc0dac31c0ba and fixed in 6.16.1 with commit 261b30ad1516f4b9edd500aa6e8d6315c8fc109a Issue introduced in 6.15 with commit 14c8552db64476ffc27c13dc6652fc0dac31c0ba and fixed in 6.17-rc1 with commit 3157f7e2999616ac91f4d559a8566214f74000a5 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38607 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: kernel/bpf/verifier.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/65eb166b8636365ad3d6e36d50a7c5edfe6cc66e https://git.kernel.org/stable/c/261b30ad1516f4b9edd500aa6e8d6315c8fc109a https://git.kernel.org/stable/c/3157f7e2999616ac91f4d559a8566214f74000a5
Powered by blists - more mailing lists