CVE-2025-37886 (GCVE-0-2025-37886)
Vulnerability from cvelistv5
Published
2025-05-09 06:45
Modified
2025-05-26 05:23
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: pds_core: make wait_context part of q_info Make the wait_context a full part of the q_info struct rather than a stack variable that goes away after pdsc_adminq_post() is done so that the context is still available after the wait loop has given up. There was a case where a slow development firmware caused the adminq request to time out, but then later the FW finally finished the request and sent the interrupt. The handler tried to complete_all() the completion context that had been created on the stack in pdsc_adminq_post() but no longer existed. This caused bad pointer usage, kernel crashes, and much wailing and gnashing of teeth.
References
Impacted products
Vendor Product Version
Linux Linux Version: 01ba61b55b2041a39c54aefb3153c770dd59a0ef
Version: 01ba61b55b2041a39c54aefb3153c770dd59a0ef
Version: 01ba61b55b2041a39c54aefb3153c770dd59a0ef
Version: 01ba61b55b2041a39c54aefb3153c770dd59a0ef
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/amd/pds_core/adminq.c",
            "drivers/net/ethernet/amd/pds_core/core.c",
            "drivers/net/ethernet/amd/pds_core/core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "66d7702b42ffdf0dce4808626088268a4e905ca6",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "520f012fe75fb8efc9f16a57ef929a7a2115d892",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "3f77c3dfffc7063428b100c4945ca2a7a8680380",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/amd/pds_core/adminq.c",
            "drivers/net/ethernet/amd/pds_core/core.c",
            "drivers/net/ethernet/amd/pds_core/core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: make wait_context part of q_info\n\nMake the wait_context a full part of the q_info struct rather\nthan a stack variable that goes away after pdsc_adminq_post()\nis done so that the context is still available after the wait\nloop has given up.\n\nThere was a case where a slow development firmware caused\nthe adminq request to time out, but then later the FW finally\nfinished the request and sent the interrupt.  The handler tried\nto complete_all() the completion context that had been created\non the stack in pdsc_adminq_post() but no longer existed.\nThis caused bad pointer usage, kernel crashes, and much wailing\nand gnashing of teeth."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:23:03.001Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381"
        },
        {
          "url": "https://git.kernel.org/stable/c/66d7702b42ffdf0dce4808626088268a4e905ca6"
        },
        {
          "url": "https://git.kernel.org/stable/c/520f012fe75fb8efc9f16a57ef929a7a2115d892"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f77c3dfffc7063428b100c4945ca2a7a8680380"
        }
      ],
      "title": "pds_core: make wait_context part of q_info",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37886",
    "datePublished": "2025-05-09T06:45:48.810Z",
    "dateReserved": "2025-04-16T04:51:23.963Z",
    "dateUpdated": "2025-05-26T05:23:03.001Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-37886\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-09T07:16:09.973\",\"lastModified\":\"2025-05-12T17:32:32.760\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\npds_core: make wait_context part of q_info\\n\\nMake the wait_context a full part of the q_info struct rather\\nthan a stack variable that goes away after pdsc_adminq_post()\\nis done so that the context is still available after the wait\\nloop has given up.\\n\\nThere was a case where a slow development firmware caused\\nthe adminq request to time out, but then later the FW finally\\nfinished the request and sent the interrupt.  The handler tried\\nto complete_all() the completion context that had been created\\non the stack in pdsc_adminq_post() but no longer existed.\\nThis caused bad pointer usage, kernel crashes, and much wailing\\nand gnashing of teeth.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pds_core: hacer que wait_context forme parte de q_info Hacer que wait_context sea una parte completa de la estructura q_info en lugar de una variable de pila que desaparezca despu\u00e9s de que pdsc_adminq_post() se complete para que el contexto siga disponible despu\u00e9s de que el bucle de espera se haya dado por vencido. Hubo un caso en el que un firmware de desarrollo lento provoc\u00f3 que la solicitud adminq expirara, pero luego el FW finalmente termin\u00f3 la solicitud y envi\u00f3 la interrupci\u00f3n. El controlador intent\u00f3 completar_todo() el contexto de finalizaci\u00f3n que se hab\u00eda creado en la pila en pdsc_adminq_post() pero ya no exist\u00eda. Esto caus\u00f3 un mal uso del puntero, fallos del kernel y muchos lamentos y crujir de dientes.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3f77c3dfffc7063428b100c4945ca2a7a8680380\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/520f012fe75fb8efc9f16a57ef929a7a2115d892\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/66d7702b42ffdf0dce4808626088268a4e905ca6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.