CVE-2025-38033 (GCVE-0-2025-38033)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-06-19 13:10
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Calling core::fmt::write() from rust code while FineIBT is enabled results in a kernel panic: [ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132! [ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G U O 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599 [ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE [ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0 ... [ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20 [ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 <66> 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7 [ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246 [ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 [ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88 [ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070 [ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8 [ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000 [ 4614.474473] ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10 [ 4614.484118] ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250 This happens because core::fmt::write() calls core::fmt::rt::Argument::fmt(), which currently has CFI disabled: library/core/src/fmt/rt.rs: 171 // FIXME: Transmuting formatter in new and indirectly branching to/calling 172 // it here is an explicit CFI violation. 173 #[allow(inline_no_sanitize)] 174 #[no_sanitize(cfi, kcfi)] 175 #[inline] 176 pub(super) unsafe fn fmt(&self, f: &mut Formatter<'_>) -> Result { This causes a Control Protection exception, because FineIBT has sealed off the original function's endbr64. This makes rust currently incompatible with FineIBT. Add a Kconfig dependency that prevents FineIBT from getting turned on by default if rust is enabled. [ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1], and thus we relaxed the condition with Rust >= 1.88. When `objtool` lands checking for this with e.g. [2], the plan is to ideally run that in upstream Rust's CI to prevent regressions early [3], since we do not control `core`'s source code. Alice tested the Rust PR backported to an older compiler. Peter would like that Rust provides a stable `core` which can be pulled into the kernel: "Relying on that much out of tree code is 'unfortunate'". - Miguel ] [ Reduced splat. - Miguel ]
References
Impacted products
Vendor Product Version
Linux Linux Version: d6f635bcaca8d38dfa47ee20658705f9eff156b5
Version: d6f635bcaca8d38dfa47ee20658705f9eff156b5
Version: d6f635bcaca8d38dfa47ee20658705f9eff156b5
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/Kconfig"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5a8d073d87da4ad1496b35adaee5719e94665d81",
              "status": "affected",
              "version": "d6f635bcaca8d38dfa47ee20658705f9eff156b5",
              "versionType": "git"
            },
            {
              "lessThan": "6b9956d09382bcbd5fd260c4b60ec48680a4cffb",
              "status": "affected",
              "version": "d6f635bcaca8d38dfa47ee20658705f9eff156b5",
              "versionType": "git"
            },
            {
              "lessThan": "5595c31c370957aabe739ac3996aedba8267603f",
              "status": "affected",
              "version": "d6f635bcaca8d38dfa47ee20658705f9eff156b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/Kconfig"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust \u003e= 1.88\n\nCalling core::fmt::write() from rust code while FineIBT is enabled\nresults in a kernel panic:\n\n[ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132!\n[ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G     U     O       6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599\n[ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE\n[ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0\n...\n[ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20\n[ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 \u003c66\u003e 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7\n[ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246\n[ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000\n[ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88\n[ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070\n[ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8\n[ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000\n[ 4614.474473]  ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10\n[ 4614.484118]  ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250\n\nThis happens because core::fmt::write() calls\ncore::fmt::rt::Argument::fmt(), which currently has CFI disabled:\n\nlibrary/core/src/fmt/rt.rs:\n171     // FIXME: Transmuting formatter in new and indirectly branching to/calling\n172     // it here is an explicit CFI violation.\n173     #[allow(inline_no_sanitize)]\n174     #[no_sanitize(cfi, kcfi)]\n175     #[inline]\n176     pub(super) unsafe fn fmt(\u0026self, f: \u0026mut Formatter\u003c\u0027_\u003e) -\u003e Result {\n\nThis causes a Control Protection exception, because FineIBT has sealed\noff the original function\u0027s endbr64.\n\nThis makes rust currently incompatible with FineIBT. Add a Kconfig\ndependency that prevents FineIBT from getting turned on by default\nif rust is enabled.\n\n[ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1],\n  and thus we relaxed the condition with Rust \u003e= 1.88.\n\n  When `objtool` lands checking for this with e.g. [2], the plan is\n  to ideally run that in upstream Rust\u0027s CI to prevent regressions\n  early [3], since we do not control `core`\u0027s source code.\n\n  Alice tested the Rust PR backported to an older compiler.\n\n  Peter would like that Rust provides a stable `core` which can be\n  pulled into the kernel: \"Relying on that much out of tree code is\n  \u0027unfortunate\u0027\".\n\n    - Miguel ]\n\n[ Reduced splat. - Miguel ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T13:10:55.693Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5a8d073d87da4ad1496b35adaee5719e94665d81"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b9956d09382bcbd5fd260c4b60ec48680a4cffb"
        },
        {
          "url": "https://git.kernel.org/stable/c/5595c31c370957aabe739ac3996aedba8267603f"
        }
      ],
      "title": "x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust \u003e= 1.88",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38033",
    "datePublished": "2025-06-18T09:33:20.195Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-06-19T13:10:55.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38033\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:35.470\",\"lastModified\":\"2025-06-18T13:46:52.973\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust \u003e= 1.88\\n\\nCalling core::fmt::write() from rust code while FineIBT is enabled\\nresults in a kernel panic:\\n\\n[ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132!\\n[ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n[ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G     U     O       6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599\\n[ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE\\n[ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0\\n...\\n[ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20\\n[ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 \u003c66\u003e 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7\\n[ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246\\n[ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000\\n[ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88\\n[ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070\\n[ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8\\n[ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000\\n[ 4614.474473]  ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10\\n[ 4614.484118]  ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250\\n\\nThis happens because core::fmt::write() calls\\ncore::fmt::rt::Argument::fmt(), which currently has CFI disabled:\\n\\nlibrary/core/src/fmt/rt.rs:\\n171     // FIXME: Transmuting formatter in new and indirectly branching to/calling\\n172     // it here is an explicit CFI violation.\\n173     #[allow(inline_no_sanitize)]\\n174     #[no_sanitize(cfi, kcfi)]\\n175     #[inline]\\n176     pub(super) unsafe fn fmt(\u0026self, f: \u0026mut Formatter\u003c\u0027_\u003e) -\u003e Result {\\n\\nThis causes a Control Protection exception, because FineIBT has sealed\\noff the original function\u0027s endbr64.\\n\\nThis makes rust currently incompatible with FineIBT. Add a Kconfig\\ndependency that prevents FineIBT from getting turned on by default\\nif rust is enabled.\\n\\n[ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1],\\n  and thus we relaxed the condition with Rust \u003e= 1.88.\\n\\n  When `objtool` lands checking for this with e.g. [2], the plan is\\n  to ideally run that in upstream Rust\u0027s CI to prevent regressions\\n  early [3], since we do not control `core`\u0027s source code.\\n\\n  Alice tested the Rust PR backported to an older compiler.\\n\\n  Peter would like that Rust provides a stable `core` which can be\\n  pulled into the kernel: \\\"Relying on that much out of tree code is\\n  \u0027unfortunate\u0027\\\".\\n\\n    - Miguel ]\\n\\n[ Reduced splat. - Miguel ]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/Kconfig: hacer que CFI_AUTO_DEFAULT dependa de !RUST o Rust \u0026gt;= 1.88 Llamar a core::fmt::write() desde el c\u00f3digo rust mientras FineIBT est\u00e1 habilitado da como resultado un p\u00e1nico del kernel: [ 4614.199779] \u00a1ERROR del kernel en arch/x86/kernel/cet.c:132! [ 4614.205343] Ups: c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Contaminado: GUO 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599 [ 4614.227832] Contaminado: [U]=USUARIO, [O]=OOT_M\u00d3DULO [ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0 ... [ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20 [ 4614.407792] C\u00f3digo: 48 f7 gl 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 \u0026lt;66\u0026gt; 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7 [ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246 [ 4614.434609] RAX: 000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 [ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88 [ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070 [ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8 [ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000 [ 4614.474473] ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10 [ 4614.484118] ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250 Esto sucede porque core::fmt::write() llama a core::fmt::rt::Argument::fmt(), que actualmente tiene CFI deshabilitado: library/core/src/fmt/rt.rs: 171 // FIXME: Transmutando el formateador en new y ramificando indirectamente a/llamando a 172 // aqu\u00ed es una violaci\u00f3n expl\u00edcita de CFI. 173 #[allow(inline_no_sanitize)] 174 #[no_sanitize(cfi, kcfi)] 175 #[inline] 176 pub(super) unsafe fn fmt(\u0026amp;self, f: \u0026amp;mut Formatter\u0026lt;\u0027_\u0026gt;) -\u0026gt; Result { Esto causa una excepci\u00f3n de Protecci\u00f3n de Control, porque FineIBT ha sellado el endbr64 de la funci\u00f3n original. Esto hace que rust actualmente sea incompatible con FineIBT. Agregue una dependencia de Kconfig que evite que FineIBT se active de manera predeterminada si Rust est\u00e1 habilitado. [ Rust 1.88.0 (programado para el 26/06/2025) deber\u00eda tener esto solucionado [1], y por lo tanto relajamos la condici\u00f3n con Rust \u0026gt;= 1.88. Cuando `objtool` aterrice verificando esto con, por ejemplo, [2], el plan es ejecutarlo idealmente en la CI de Rust ascendente para evitar regresiones tempranas [3], ya que no controlamos el c\u00f3digo fuente de `core`. Alice prob\u00f3 el PR de Rust retroportado a un compilador m\u00e1s antiguo. A Peter le gustar\u00eda que Rust proporcionara un n\u00facleo estable que se pueda integrar en el kernel: \\\"Depender de tanto c\u00f3digo fuera del \u00e1rbol es \u0027desafortunado\u0027\\\". - Miguel ] [Menudas palabras. - Miguel ]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5595c31c370957aabe739ac3996aedba8267603f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5a8d073d87da4ad1496b35adaee5719e94665d81\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6b9956d09382bcbd5fd260c4b60ec48680a4cffb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.