| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091152-CVE-2025-39788-a86f@gregkh>
Date: Thu, 11 Sep 2025 18:57:06 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39788: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
and in this case the driver ends up programming the UTRL_NEXUS_TYPE
incorrectly as 0.
This is because the left hand side of the shift is 1, which is of type
int, i.e. 31 bits wide. Shifting by more than that width results in
undefined behaviour.
Fix this by switching to the BIT() macro, which applies correct type
casting as required. This ensures the correct value is written to
UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
warning:
UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
shift exponent 32 is too large for 32-bit type 'int'
For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
write.
The Linux kernel CVE team has assigned CVE-2025-39788 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.9 with commit 55f4b1f73631a0817717fe6e98517de51b4c3527 and fixed in 5.10.241 with commit 01510a9e8222f11cce064410f3c2fcf0756c0a08
Issue introduced in 5.9 with commit 55f4b1f73631a0817717fe6e98517de51b4c3527 and fixed in 5.15.190 with commit 098b2c8ee208c77126839047b9e6e1925bb35baa
Issue introduced in 5.9 with commit 55f4b1f73631a0817717fe6e98517de51b4c3527 and fixed in 6.1.149 with commit c1f025da8f370a015e412b55cbcc583f91de8316
Issue introduced in 5.9 with commit 55f4b1f73631a0817717fe6e98517de51b4c3527 and fixed in 6.6.103 with commit 6d53b2a134da77eb7fe65c5c7c7a3c193539a78a
Issue introduced in 5.9 with commit 55f4b1f73631a0817717fe6e98517de51b4c3527 and fixed in 6.12.44 with commit dc8fb963742f1a38d284946638f9358bdaa0ddee
Issue introduced in 5.9 with commit 55f4b1f73631a0817717fe6e98517de51b4c3527 and fixed in 6.16.4 with commit 5b9f1ef293428ea9c0871d96fcec2a87c4445832
Issue introduced in 5.9 with commit 55f4b1f73631a0817717fe6e98517de51b4c3527 and fixed in 6.17-rc1 with commit 01aad16c2257ab8ff33b152b972c9f2e1af47912
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-39788
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/ufs/host/ufs-exynos.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/01510a9e8222f11cce064410f3c2fcf0756c0a08
https://git.kernel.org/stable/c/098b2c8ee208c77126839047b9e6e1925bb35baa
https://git.kernel.org/stable/c/c1f025da8f370a015e412b55cbcc583f91de8316
https://git.kernel.org/stable/c/6d53b2a134da77eb7fe65c5c7c7a3c193539a78a
https://git.kernel.org/stable/c/dc8fb963742f1a38d284946638f9358bdaa0ddee
https://git.kernel.org/stable/c/5b9f1ef293428ea9c0871d96fcec2a87c4445832
https://git.kernel.org/stable/c/01aad16c2257ab8ff33b152b972c9f2e1af47912
Powered by blists - more mailing lists