CVE-2025-22104 (GCVE-0-2025-22104)
Vulnerability from cvelistv5
Published
2025-04-16 14:12
Modified
2025-05-26 05:18
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Use kernel helpers for hex dumps Previously, when the driver was printing hex dumps, the buffer was cast to an 8 byte long and printed using string formatters. If the buffer size was not a multiple of 8 then a read buffer overflow was possible. Therefore, create a new ibmvnic function that loops over a buffer and calls hex_dump_to_buffer instead. This patch address KASAN reports like the one below: ibmvnic 30000003 env3: Login Buffer: ibmvnic 30000003 env3: 01000000af000000 <...> ibmvnic 30000003 env3: 2e6d62692e736261 ibmvnic 30000003 env3: 65050003006d6f63 ================================================================== BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic] Read of size 8 at addr c0000001331a9aa8 by task ip/17681 <...> Allocated by task 17681: <...> ibmvnic_login+0x2f0/0xffc [ibmvnic] ibmvnic_open+0x148/0x308 [ibmvnic] __dev_open+0x1ac/0x304 <...> The buggy address is located 168 bytes inside of allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf) <...> ================================================================= ibmvnic 30000003 env3: 000000000033766e
References
Impacted products
Vendor Product Version
Linux Linux Version: 032c5e82847a2214c3196a90f0aeba0ce252de58
Version: 032c5e82847a2214c3196a90f0aeba0ce252de58
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmvnic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae6b1d6c1acee3a2000394d83ec9f1028321e207",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "d93a6caab5d7d9b5ce034d75b1e1e993338e3852",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmvnic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Use kernel helpers for hex dumps\n\nPreviously, when the driver was printing hex dumps, the buffer was cast\nto an 8 byte long and printed using string formatters. If the buffer\nsize was not a multiple of 8 then a read buffer overflow was possible.\n\nTherefore, create a new ibmvnic function that loops over a buffer and\ncalls hex_dump_to_buffer instead.\n\nThis patch address KASAN reports like the one below:\n  ibmvnic 30000003 env3: Login Buffer:\n  ibmvnic 30000003 env3: 01000000af000000\n  \u003c...\u003e\n  ibmvnic 30000003 env3: 2e6d62692e736261\n  ibmvnic 30000003 env3: 65050003006d6f63\n  ==================================================================\n  BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic]\n  Read of size 8 at addr c0000001331a9aa8 by task ip/17681\n  \u003c...\u003e\n  Allocated by task 17681:\n  \u003c...\u003e\n  ibmvnic_login+0x2f0/0xffc [ibmvnic]\n  ibmvnic_open+0x148/0x308 [ibmvnic]\n  __dev_open+0x1ac/0x304\n  \u003c...\u003e\n  The buggy address is located 168 bytes inside of\n                allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf)\n  \u003c...\u003e\n  =================================================================\n  ibmvnic 30000003 env3: 000000000033766e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:32.911Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae6b1d6c1acee3a2000394d83ec9f1028321e207"
        },
        {
          "url": "https://git.kernel.org/stable/c/d93a6caab5d7d9b5ce034d75b1e1e993338e3852"
        }
      ],
      "title": "ibmvnic: Use kernel helpers for hex dumps",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22104",
    "datePublished": "2025-04-16T14:12:53.118Z",
    "dateReserved": "2024-12-29T08:45:45.819Z",
    "dateUpdated": "2025-05-26T05:18:32.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22104\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:16:04.733\",\"lastModified\":\"2025-04-17T20:22:16.240\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nibmvnic: Use kernel helpers for hex dumps\\n\\nPreviously, when the driver was printing hex dumps, the buffer was cast\\nto an 8 byte long and printed using string formatters. If the buffer\\nsize was not a multiple of 8 then a read buffer overflow was possible.\\n\\nTherefore, create a new ibmvnic function that loops over a buffer and\\ncalls hex_dump_to_buffer instead.\\n\\nThis patch address KASAN reports like the one below:\\n  ibmvnic 30000003 env3: Login Buffer:\\n  ibmvnic 30000003 env3: 01000000af000000\\n  \u003c...\u003e\\n  ibmvnic 30000003 env3: 2e6d62692e736261\\n  ibmvnic 30000003 env3: 65050003006d6f63\\n  ==================================================================\\n  BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic]\\n  Read of size 8 at addr c0000001331a9aa8 by task ip/17681\\n  \u003c...\u003e\\n  Allocated by task 17681:\\n  \u003c...\u003e\\n  ibmvnic_login+0x2f0/0xffc [ibmvnic]\\n  ibmvnic_open+0x148/0x308 [ibmvnic]\\n  __dev_open+0x1ac/0x304\\n  \u003c...\u003e\\n  The buggy address is located 168 bytes inside of\\n                allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf)\\n  \u003c...\u003e\\n  =================================================================\\n  ibmvnic 30000003 env3: 000000000033766e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ibmvnic: Uso de ayudantes del kernel para volcados hexadecimales. Anteriormente, cuando el controlador imprim\u00eda volcados hexadecimales, el b\u00fafer se convert\u00eda a una longitud de 8 bytes y se imprim\u00eda mediante formateadores de cadenas. Si el tama\u00f1o del b\u00fafer no era m\u00faltiplo de 8, era posible un desbordamiento del b\u00fafer de lectura. Por lo tanto, cree una nueva funci\u00f3n ibmvnic que recorra un b\u00fafer y llame a hex_dump_to_buffer en su lugar. Este parche soluciona informes de KASAN como el siguiente: ibmvnic 30000003 env3: Login Buffer: ibmvnic 30000003 env3: 01000000af000000 \u0026lt;...\u0026gt; ibmvnic 30000003 env3: 2e6d62692e736261 ibmvnic 30000003 env3: 65050003006d6f63 ====================================================================== ERROR: KASAN: slab-out-of-bounds en ibmvnic_login+0xacc/0xffc [ibmvnic] Lectura de tama\u00f1o 8 en la direcci\u00f3n c0000001331a9aa8 por la tarea ip/17681 \u0026lt;...\u0026gt; Asignado por la tarea 17681: \u0026lt;...\u0026gt; ibmvnic_login+0x2f0/0xffc [ibmvnic] ibmvnic_open+0x148/0x308 [ibmvnic] __dev_open+0x1ac/0x304 \u0026lt;...\u0026gt; La direcci\u00f3n con errores se encuentra 168 bytes dentro de la regi\u00f3n asignada de 175 bytes [c0000001331a9a00, c0000001331a9aaf) \u0026lt;...\u0026gt; ===================================================================== ibmvnic 30000003 env3: 00000000033766e\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ae6b1d6c1acee3a2000394d83ec9f1028321e207\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d93a6caab5d7d9b5ce034d75b1e1e993338e3852\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.