CVE-2025-22048 (GCVE-0-2025-22048)
Vulnerability from cvelistv5
Published
2025-04-16 14:12
Modified
2025-05-26 05:17
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Don't override subprog's return value The verifier test `calls: div by 0 in subprog` triggers a panic at the ld.bu instruction. The ld.bu insn is trying to load byte from memory address returned by the subprog. The subprog actually set the correct address at the a5 register (dedicated register for BPF return values). But at commit 73c359d1d356 ("LoongArch: BPF: Sign-extend return values") we also sign extended a5 to the a0 register (return value in LoongArch). For function call insn, we later propagate the a0 register back to a5 register. This is right for native calls but wrong for bpf2bpf calls which expect zero-extended return value in a5 register. So only move a0 to a5 for native calls (i.e. non-BPF_PSEUDO_CALL).
References
Impacted products
Vendor Product Version
Linux Linux Version: 0c8d50501bc13cacecc19caaddc10db372592a39
Version: d5d83242a1d778ceb6d8b07c6b491cf7483ca112
Version: 73c359d1d356cf10236ccd358bd55edab33e9424
Version: 73c359d1d356cf10236ccd358bd55edab33e9424
Version: 73c359d1d356cf10236ccd358bd55edab33e9424
Version: 8382e92f90b601acf6d426121e6f4991502e767d
Version: 3b75f627b73d96787a493e2f1187543ba9c056a4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/loongarch/net/bpf_jit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7df2696256a034405d3c5a71b3a4c54725de4404",
              "status": "affected",
              "version": "0c8d50501bc13cacecc19caaddc10db372592a39",
              "versionType": "git"
            },
            {
              "lessThan": "223d565d8892481684091cfbaf3466f2b0e289d3",
              "status": "affected",
              "version": "d5d83242a1d778ceb6d8b07c6b491cf7483ca112",
              "versionType": "git"
            },
            {
              "lessThan": "780628a780b622759d9e5adc76d15432144da1a3",
              "status": "affected",
              "version": "73c359d1d356cf10236ccd358bd55edab33e9424",
              "versionType": "git"
            },
            {
              "lessThan": "996e90ab446641553e8e21707b38b9709605e0e0",
              "status": "affected",
              "version": "73c359d1d356cf10236ccd358bd55edab33e9424",
              "versionType": "git"
            },
            {
              "lessThan": "60f3caff1492e5b8616b9578c4bedb5c0a88ed14",
              "status": "affected",
              "version": "73c359d1d356cf10236ccd358bd55edab33e9424",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8382e92f90b601acf6d426121e6f4991502e767d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3b75f627b73d96787a493e2f1187543ba9c056a4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/loongarch/net/bpf_jit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "6.6.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.12.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Don\u0027t override subprog\u0027s return value\n\nThe verifier test `calls: div by 0 in subprog` triggers a panic at the\nld.bu instruction. The ld.bu insn is trying to load byte from memory\naddress returned by the subprog. The subprog actually set the correct\naddress at the a5 register (dedicated register for BPF return values).\nBut at commit 73c359d1d356 (\"LoongArch: BPF: Sign-extend return values\")\nwe also sign extended a5 to the a0 register (return value in LoongArch).\nFor function call insn, we later propagate the a0 register back to a5\nregister. This is right for native calls but wrong for bpf2bpf calls\nwhich expect zero-extended return value in a5 register. So only move a0\nto a5 for native calls (i.e. non-BPF_PSEUDO_CALL)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:20.353Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7df2696256a034405d3c5a71b3a4c54725de4404"
        },
        {
          "url": "https://git.kernel.org/stable/c/223d565d8892481684091cfbaf3466f2b0e289d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/780628a780b622759d9e5adc76d15432144da1a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/996e90ab446641553e8e21707b38b9709605e0e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/60f3caff1492e5b8616b9578c4bedb5c0a88ed14"
        }
      ],
      "title": "LoongArch: BPF: Don\u0027t override subprog\u0027s return value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22048",
    "datePublished": "2025-04-16T14:12:07.679Z",
    "dateReserved": "2024-12-29T08:45:45.810Z",
    "dateUpdated": "2025-05-26T05:17:20.353Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22048\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:15:58.220\",\"lastModified\":\"2025-04-17T20:22:16.240\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nLoongArch: BPF: Don\u0027t override subprog\u0027s return value\\n\\nThe verifier test `calls: div by 0 in subprog` triggers a panic at the\\nld.bu instruction. The ld.bu insn is trying to load byte from memory\\naddress returned by the subprog. The subprog actually set the correct\\naddress at the a5 register (dedicated register for BPF return values).\\nBut at commit 73c359d1d356 (\\\"LoongArch: BPF: Sign-extend return values\\\")\\nwe also sign extended a5 to the a0 register (return value in LoongArch).\\nFor function call insn, we later propagate the a0 register back to a5\\nregister. This is right for native calls but wrong for bpf2bpf calls\\nwhich expect zero-extended return value in a5 register. So only move a0\\nto a5 for native calls (i.e. non-BPF_PSEUDO_CALL).\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: LoongArch: BPF: No anule el valor de retorno del subprograma La prueba del verificador `calls: div by 0 in subprog` desencadena un p\u00e1nico en la instrucci\u00f3n ld.bu. La instrucci\u00f3n ld.bu insn intenta cargar un byte desde la direcci\u00f3n de memoria devuelta por el subprograma. El subprograma en realidad estableci\u00f3 la direcci\u00f3n correcta en el registro a5 (registro dedicado para valores de retorno de BPF). Pero en el commit 73c359d1d356 (\\\"LoongArch: BPF: Valores de retorno con signo extendido\\\") tambi\u00e9n firmamos a5 extendido en el registro a0 (valor de retorno en LoongArch). Para la instrucci\u00f3n de llamada a funci\u00f3n insn, luego propagamos el registro a0 de vuelta al registro a5. Esto es correcto para llamadas nativas, pero incorrecto para llamadas bpf2bpf que esperan un valor de retorno extendido cero en el registro a5. Por lo tanto, solo mueva a0 a a5 para llamadas nativas (es decir, no BPF_PSEUDO_CALL).\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/223d565d8892481684091cfbaf3466f2b0e289d3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/60f3caff1492e5b8616b9578c4bedb5c0a88ed14\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/780628a780b622759d9e5adc76d15432144da1a3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7df2696256a034405d3c5a71b3a4c54725de4404\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/996e90ab446641553e8e21707b38b9709605e0e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.