CVE-2025-38055 (GCVE-0-2025-38055)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-06-18 09:33
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 <NMI> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes. The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway. Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.
References
Impacted products
Vendor Product Version
Linux Linux Version: 722e42e45c2f1c6d1adec7813651dba5139f52f4
Version: 722e42e45c2f1c6d1adec7813651dba5139f52f4
Version: 722e42e45c2f1c6d1adec7813651dba5139f52f4
Version: a9d6d466bcf0621a872e1052bc40e4c6f0541b8d
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/ds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca51db23166767a8445deb8331c9b8d5205d9287",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "lessThan": "0b1874a5b1173fbcb2185ab828f4c33d067e551e",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "lessThan": "99bcd91fabada0dbb1d5f0de44532d8008db93c6",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a9d6d466bcf0621a872e1052bc40e4c6f0541b8d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/ds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\n\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault.  For example:\n\n    BUG: kernel NULL pointer dereference, address: 0000000000000195\n    \u003cNMI\u003e\n    ? __die_body.cold+0x19/0x27\n    ? page_fault_oops+0xca/0x290\n    ? exc_page_fault+0x7e/0x1b0\n    ? asm_exc_page_fault+0x26/0x30\n    ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n    ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\n    intel_pmu_drain_pebs_icl+0x333/0x350\n    handle_pmi_common+0x272/0x3c0\n    intel_pmu_handle_irq+0x10a/0x2e0\n    perf_event_nmi_handler+0x2a/0x50\n\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\n\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\n\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of \u0027size\u0027.  Note, prior to the Fixes\ncommit, \u0027size\u0027 would be limited to the maximum counter index, so the issue\nwas not hit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:35.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e"
        },
        {
          "url": "https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6"
        }
      ],
      "title": "perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38055",
    "datePublished": "2025-06-18T09:33:35.556Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-06-18T09:33:35.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38055\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:38.213\",\"lastModified\":\"2025-06-18T13:46:52.973\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\\n\\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\\nperiod, causes a segfault.  For example:\\n\\n    BUG: kernel NULL pointer dereference, address: 0000000000000195\\n    \u003cNMI\u003e\\n    ? __die_body.cold+0x19/0x27\\n    ? page_fault_oops+0xca/0x290\\n    ? exc_page_fault+0x7e/0x1b0\\n    ? asm_exc_page_fault+0x26/0x30\\n    ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\\n    ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\\n    intel_pmu_drain_pebs_icl+0x333/0x350\\n    handle_pmi_common+0x272/0x3c0\\n    intel_pmu_handle_irq+0x10a/0x2e0\\n    perf_event_nmi_handler+0x2a/0x50\\n\\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\\npebs_enabled bits represent counter indexes, which is not always the case.\\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\\n\\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\\nadjusted anyway.\\n\\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\\nthe mask of counter bits instead of \u0027size\u0027.  Note, prior to the Fixes\\ncommit, \u0027size\u0027 would be limited to the maximum counter index, so the issue\\nwas not hit.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/x86/intel: Correcci\u00f3n de una falla de segmentaci\u00f3n con PEBS-via-PT con sample_freq. Actualmente, usar PEBS-via-PT con una frecuencia de muestreo en lugar de un periodo de muestreo provoca una falla de segmentaci\u00f3n. Por ejemplo: Error: Desreferencia de puntero nulo del kernel, direcci\u00f3n: 0000000000000195  ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 Esto sucede porque intel_pmu_pebs_event_update_no_drain() asume que todos los bits pebs_enabled representan \u00edndices de contador, lo que no siempre es el caso. En este caso particular, los bits 60 y 61 se establecen para fines de PEBS a trav\u00e9s de PT. El comportamiento de PEBS a trav\u00e9s de PT con frecuencia de muestreo es cuestionable porque, aunque se genera un PMI (PEBS_PMI_AFTER_EACH_RECORD), el per\u00edodo no se ajusta de todos modos. Dejando eso de lado, corrija intel_pmu_pebs_event_update_no_drain() pasando la m\u00e1scara de bits del contador en lugar de \u0027size\u0027. Tenga en cuenta que, antes de el commit de las correcciones, \u0027size\u0027 estaba limitado al \u00edndice m\u00e1ximo del contador, por lo que el problema no se solucion\u00f3.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.