| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025081923-CVE-2025-38609-9c6a@gregkh>
Date: Tue, 19 Aug 2025 19:18:55 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38609: PM / devfreq: Check governor before using governor->name
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: Check governor before using governor->name
Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from
struct devfreq") removes governor_name and uses governor->name to replace
it. But devfreq->governor may be NULL and directly using
devfreq->governor->name may cause null pointer exception. Move the check of
governor to before using governor->name.
The Linux kernel CVE team has assigned CVE-2025-38609 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.11 with commit 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 and fixed in 6.1.148 with commit 631e101728df2a86b8fb761b49fad9712c651f8a
Issue introduced in 5.11 with commit 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 and fixed in 6.6.102 with commit 81f50619370045120c133bfdda5b320c8c97d41e
Issue introduced in 5.11 with commit 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 and fixed in 6.12.42 with commit d5632359dbc44862fc1ed04093c1f57529830261
Issue introduced in 5.11 with commit 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 and fixed in 6.15.10 with commit 2731c68f536fddcb71332db7f8d78c5eb4684c04
Issue introduced in 5.11 with commit 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 and fixed in 6.16.1 with commit 75323a49aa603cf5484a6d74d0d329e86d756e11
Issue introduced in 5.11 with commit 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 and fixed in 6.17-rc1 with commit bab7834c03820eb11269bc48f07c3800192460d2
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38609
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/devfreq/devfreq.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/631e101728df2a86b8fb761b49fad9712c651f8a
https://git.kernel.org/stable/c/81f50619370045120c133bfdda5b320c8c97d41e
https://git.kernel.org/stable/c/d5632359dbc44862fc1ed04093c1f57529830261
https://git.kernel.org/stable/c/2731c68f536fddcb71332db7f8d78c5eb4684c04
https://git.kernel.org/stable/c/75323a49aa603cf5484a6d74d0d329e86d756e11
https://git.kernel.org/stable/c/bab7834c03820eb11269bc48f07c3800192460d2
Powered by blists - more mailing lists