| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091906-CVE-2025-39865-3086@gregkh>
Date: Fri, 19 Sep 2025 17:28:29 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39865: tee: fix NULL pointer dereference in tee_shm_put
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
tee: fix NULL pointer dereference in tee_shm_put
tee_shm_put have NULL pointer dereference:
__optee_disable_shm_cache -->
shm = reg_pair_to_ptr(...);//shm maybe return NULL
tee_shm_free(shm); -->
tee_shm_put(shm);//crash
Add check in tee_shm_put to fix it.
panic log:
Unable to handle kernel paging request at virtual address 0000000000100cca
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000
[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] SMP
CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----
6.6.0-39-generic #38
Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07
Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0
10/26/2022
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : tee_shm_put+0x24/0x188
lr : tee_shm_free+0x14/0x28
sp : ffff001f98f9faf0
x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000
x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048
x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88
x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff
x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003
x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101
x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c
x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca
Call trace:
tee_shm_put+0x24/0x188
tee_shm_free+0x14/0x28
__optee_disable_shm_cache+0xa8/0x108
optee_shutdown+0x28/0x38
platform_shutdown+0x28/0x40
device_shutdown+0x144/0x2b0
kernel_power_off+0x3c/0x80
hibernate+0x35c/0x388
state_store+0x64/0x80
kobj_attr_store+0x14/0x28
sysfs_kf_write+0x48/0x60
kernfs_fop_write_iter+0x128/0x1c0
vfs_write+0x270/0x370
ksys_write+0x6c/0x100
__arm64_sys_write+0x20/0x30
invoke_syscall+0x4c/0x120
el0_svc_common.constprop.0+0x44/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x24/0x88
el0t_64_sync_handler+0x134/0x150
el0t_64_sync+0x14c/0x15
The Linux kernel CVE team has assigned CVE-2025-39865 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.10.89 with commit c05d8f66ec3470e5212c4d08c46d6cb5738d600d and fixed in 5.10.243 with commit f266188603c34e6e234fb0dfc3185f0ba98d71b7
Issue introduced in 5.15.12 with commit 492eb7afe858d60408b2da09adc78540c4d16543 and fixed in 5.15.192 with commit 4377eac565c297fdfccd2f8e9bf94ee84ff6172f
Issue introduced in 5.16 with commit dfd0743f1d9ea76931510ed150334d571fbab49d and fixed in 6.1.151 with commit 25e315bc8ad363bd1194e49062f183ad4011957e
Issue introduced in 5.16 with commit dfd0743f1d9ea76931510ed150334d571fbab49d and fixed in 6.6.105 with commit add1ecc8f3ad8df22e3599c5c88d7907cc2a3079
Issue introduced in 5.16 with commit dfd0743f1d9ea76931510ed150334d571fbab49d and fixed in 6.12.46 with commit 963fca19fe34c496e04f7dd133b807b76a5434ca
Issue introduced in 5.16 with commit dfd0743f1d9ea76931510ed150334d571fbab49d and fixed in 6.16.6 with commit 5e07a4235bb85d9ef664411e4ff4ac34783c18ff
Issue introduced in 5.16 with commit dfd0743f1d9ea76931510ed150334d571fbab49d and fixed in 6.17-rc5 with commit e4a718a3a47e89805c3be9d46a84de1949a98d5d
Issue introduced in 4.14.261 with commit 3d556a28bbfe34a80b014db49908b0f1bcb1ae80
Issue introduced in 4.19.224 with commit b4a661b4212b8fac8853ec3b68e4a909dccc88a1
Issue introduced in 5.4.170 with commit 940e68e57ab69248fabba5889e615305789db8a7
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-39865
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/tee/tee_shm.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/f266188603c34e6e234fb0dfc3185f0ba98d71b7
https://git.kernel.org/stable/c/4377eac565c297fdfccd2f8e9bf94ee84ff6172f
https://git.kernel.org/stable/c/25e315bc8ad363bd1194e49062f183ad4011957e
https://git.kernel.org/stable/c/add1ecc8f3ad8df22e3599c5c88d7907cc2a3079
https://git.kernel.org/stable/c/963fca19fe34c496e04f7dd133b807b76a5434ca
https://git.kernel.org/stable/c/5e07a4235bb85d9ef664411e4ff4ac34783c18ff
https://git.kernel.org/stable/c/e4a718a3a47e89805c3be9d46a84de1949a98d5d
Powered by blists - more mailing lists