| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111254-CVE-2025-40172-f3b8@gregkh> Date: Wed, 12 Nov 2025 05:53:55 -0500 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40172: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred. The Linux kernel CVE team has assigned CVE-2025-40172 to this issue. Affected and fixed versions =========================== Issue introduced in 6.5 with commit 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c and fixed in 6.6.114 with commit 48b1d42286bfef7628b1d6c8c28d4e456c90f725 Issue introduced in 6.5 with commit 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c and fixed in 6.12.55 with commit 551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede Issue introduced in 6.5 with commit 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c and fixed in 6.17.5 with commit 1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6 Issue introduced in 6.5 with commit 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c and fixed in 6.18-rc2 with commit 11f08c30a3e4157305ba692f1d44cca5fc9a8fca Issue introduced in 6.4.12 with commit d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40172 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/accel/qaic/qaic_control.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/48b1d42286bfef7628b1d6c8c28d4e456c90f725 https://git.kernel.org/stable/c/551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede https://git.kernel.org/stable/c/1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6 https://git.kernel.org/stable/c/11f08c30a3e4157305ba692f1d44cca5fc9a8fca
Powered by blists - more mailing lists