| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090551-CVE-2025-39719-825e@gregkh> Date: Fri, 5 Sep 2025 19:21:32 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39719: iio: imu: bno055: fix OOB access of hw_xlate array From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array is larger than the hw_xlate array, so this could result in an out-of-bounds access. In practice, this shouldn't happen though because a match should always be found which breaks out of the for loop before it iterates beyond the end of the hw_xlate array. By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be sure we are iterating over the correct length. The Linux kernel CVE team has assigned CVE-2025-39719 to this issue. Affected and fixed versions =========================== Issue introduced in 6.1 with commit 4aefe1c2bd0cb0223130671d459cd16efa3d3462 and fixed in 6.1.149 with commit a0691ab6334f1769acc64ea9e319414a682ff45d Issue introduced in 6.1 with commit 4aefe1c2bd0cb0223130671d459cd16efa3d3462 and fixed in 6.6.103 with commit 50e823a23816b792daf6e8405f8d6045952bb90e Issue introduced in 6.1 with commit 4aefe1c2bd0cb0223130671d459cd16efa3d3462 and fixed in 6.12.44 with commit 4808ca3aa30ae857454d0b41d2d0bf161a312b45 Issue introduced in 6.1 with commit 4aefe1c2bd0cb0223130671d459cd16efa3d3462 and fixed in 6.16.4 with commit 5c2b601922c064f7be70ae8621277f18d1ffec59 Issue introduced in 6.1 with commit 4aefe1c2bd0cb0223130671d459cd16efa3d3462 and fixed in 6.17-rc1 with commit 399b883ec828e436f1a721bf8551b4da8727e65b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39719 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/iio/imu/bno055/bno055.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a0691ab6334f1769acc64ea9e319414a682ff45d https://git.kernel.org/stable/c/50e823a23816b792daf6e8405f8d6045952bb90e https://git.kernel.org/stable/c/4808ca3aa30ae857454d0b41d2d0bf161a312b45 https://git.kernel.org/stable/c/5c2b601922c064f7be70ae8621277f18d1ffec59 https://git.kernel.org/stable/c/399b883ec828e436f1a721bf8551b4da8727e65b
Powered by blists - more mailing lists