CVE-2025-38196 (GCVE-0-2025-38196)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:14
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: validate buffer count with offset for cloning syzbot reports that it can trigger a WARN_ON() for kmalloc() attempt that's too big: WARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 Modules linked in: CPU: 0 UID: 0 PID: 6488 Comm: syz-executor312 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 lr : __do_kmalloc_node mm/slub.c:-1 [inline] lr : __kvmalloc_node_noprof+0x3b4/0x640 mm/slub.c:5012 sp : ffff80009cfd7a90 x29: ffff80009cfd7ac0 x28: ffff0000dd52a120 x27: 0000000000412dc0 x26: 0000000000000178 x25: ffff7000139faf70 x24: 0000000000000000 x23: ffff800082f4cea8 x22: 00000000ffffffff x21: 000000010cd004a8 x20: ffff0000d75816c0 x19: ffff0000dd52a000 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008adbe9e4 x15: 0000000000000005 x14: 1ffff000139faf1c x13: 0000000000000000 x12: 0000000000000000 x11: ffff7000139faf21 x10: 0000000000000003 x9 : ffff80008f27b938 x8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 00000000ffffffff x4 : 0000000000400dc0 x3 : 0000000200000000 x2 : 000000010cd004a8 x1 : ffff80008b3ebc40 x0 : 0000000000000001 Call trace: __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 (P) kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline] io_rsrc_data_alloc io_uring/rsrc.c:206 [inline] io_clone_buffers io_uring/rsrc.c:1178 [inline] io_register_clone_buffers+0x484/0xa14 io_uring/rsrc.c:1287 __io_uring_register io_uring/register.c:815 [inline] __do_sys_io_uring_register io_uring/register.c:926 [inline] __se_sys_io_uring_register io_uring/register.c:903 [inline] __arm64_sys_io_uring_register+0x42c/0xea8 io_uring/register.c:903 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 which is due to offset + buffer_count being too large. The registration code checks only the total count of buffers, but given that the indexing is an array, it should also check offset + count. That can't exceed IORING_MAX_REG_BUFFERS either, as there's no way to reach buffers beyond that limit. There's no issue with registrering a table this large, outside of the fact that it's pointless to register buffers that cannot be reached, and that it can trigger this kmalloc() warning for attempting an allocation that is too large.
References
Impacted products
Vendor Product Version
Linux Linux Version: b16e920a1909da6799c43000db730d8fcdcae907
Version: b16e920a1909da6799c43000db730d8fcdcae907
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/rsrc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0e23ac818f3afb16660b0ba384875d56a7013879",
              "status": "affected",
              "version": "b16e920a1909da6799c43000db730d8fcdcae907",
              "versionType": "git"
            },
            {
              "lessThan": "1d27f11bf02b38c431e49a17dee5c10a2b4c2e28",
              "status": "affected",
              "version": "b16e920a1909da6799c43000db730d8fcdcae907",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/rsrc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: validate buffer count with offset for cloning\n\nsyzbot reports that it can trigger a WARN_ON() for kmalloc() attempt\nthat\u0027s too big:\n\nWARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024\nModules linked in:\nCPU: 0 UID: 0 PID: 6488 Comm: syz-executor312 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\npstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024\nlr : __do_kmalloc_node mm/slub.c:-1 [inline]\nlr : __kvmalloc_node_noprof+0x3b4/0x640 mm/slub.c:5012\nsp : ffff80009cfd7a90\nx29: ffff80009cfd7ac0 x28: ffff0000dd52a120 x27: 0000000000412dc0\nx26: 0000000000000178 x25: ffff7000139faf70 x24: 0000000000000000\nx23: ffff800082f4cea8 x22: 00000000ffffffff x21: 000000010cd004a8\nx20: ffff0000d75816c0 x19: ffff0000dd52a000 x18: 00000000ffffffff\nx17: ffff800092f39000 x16: ffff80008adbe9e4 x15: 0000000000000005\nx14: 1ffff000139faf1c x13: 0000000000000000 x12: 0000000000000000\nx11: ffff7000139faf21 x10: 0000000000000003 x9 : ffff80008f27b938\nx8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 00000000ffffffff x4 : 0000000000400dc0 x3 : 0000000200000000\nx2 : 000000010cd004a8 x1 : ffff80008b3ebc40 x0 : 0000000000000001\nCall trace:\n __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 (P)\n kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline]\n io_rsrc_data_alloc io_uring/rsrc.c:206 [inline]\n io_clone_buffers io_uring/rsrc.c:1178 [inline]\n io_register_clone_buffers+0x484/0xa14 io_uring/rsrc.c:1287\n __io_uring_register io_uring/register.c:815 [inline]\n __do_sys_io_uring_register io_uring/register.c:926 [inline]\n __se_sys_io_uring_register io_uring/register.c:903 [inline]\n __arm64_sys_io_uring_register+0x42c/0xea8 io_uring/register.c:903\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nwhich is due to offset + buffer_count being too large. The registration\ncode checks only the total count of buffers, but given that the indexing\nis an array, it should also check offset + count. That can\u0027t exceed\nIORING_MAX_REG_BUFFERS either, as there\u0027s no way to reach buffers beyond\nthat limit.\n\nThere\u0027s no issue with registrering a table this large, outside of the\nfact that it\u0027s pointless to register buffers that cannot be reached, and\nthat it can trigger this kmalloc() warning for attempting an allocation\nthat is too large."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:49.780Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0e23ac818f3afb16660b0ba384875d56a7013879"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d27f11bf02b38c431e49a17dee5c10a2b4c2e28"
        }
      ],
      "title": "io_uring/rsrc: validate buffer count with offset for cloning",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38196",
    "datePublished": "2025-07-04T13:37:19.191Z",
    "dateReserved": "2025-04-16T04:51:23.993Z",
    "dateUpdated": "2025-07-28T04:14:49.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38196\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-04T14:15:26.787\",\"lastModified\":\"2025-07-08T16:18:53.607\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring/rsrc: validate buffer count with offset for cloning\\n\\nsyzbot reports that it can trigger a WARN_ON() for kmalloc() attempt\\nthat\u0027s too big:\\n\\nWARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024\\nModules linked in:\\nCPU: 0 UID: 0 PID: 6488 Comm: syz-executor312 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\\npstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024\\nlr : __do_kmalloc_node mm/slub.c:-1 [inline]\\nlr : __kvmalloc_node_noprof+0x3b4/0x640 mm/slub.c:5012\\nsp : ffff80009cfd7a90\\nx29: ffff80009cfd7ac0 x28: ffff0000dd52a120 x27: 0000000000412dc0\\nx26: 0000000000000178 x25: ffff7000139faf70 x24: 0000000000000000\\nx23: ffff800082f4cea8 x22: 00000000ffffffff x21: 000000010cd004a8\\nx20: ffff0000d75816c0 x19: ffff0000dd52a000 x18: 00000000ffffffff\\nx17: ffff800092f39000 x16: ffff80008adbe9e4 x15: 0000000000000005\\nx14: 1ffff000139faf1c x13: 0000000000000000 x12: 0000000000000000\\nx11: ffff7000139faf21 x10: 0000000000000003 x9 : ffff80008f27b938\\nx8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000000\\nx5 : 00000000ffffffff x4 : 0000000000400dc0 x3 : 0000000200000000\\nx2 : 000000010cd004a8 x1 : ffff80008b3ebc40 x0 : 0000000000000001\\nCall trace:\\n __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 (P)\\n kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline]\\n io_rsrc_data_alloc io_uring/rsrc.c:206 [inline]\\n io_clone_buffers io_uring/rsrc.c:1178 [inline]\\n io_register_clone_buffers+0x484/0xa14 io_uring/rsrc.c:1287\\n __io_uring_register io_uring/register.c:815 [inline]\\n __do_sys_io_uring_register io_uring/register.c:926 [inline]\\n __se_sys_io_uring_register io_uring/register.c:903 [inline]\\n __arm64_sys_io_uring_register+0x42c/0xea8 io_uring/register.c:903\\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\\n\\nwhich is due to offset + buffer_count being too large. The registration\\ncode checks only the total count of buffers, but given that the indexing\\nis an array, it should also check offset + count. That can\u0027t exceed\\nIORING_MAX_REG_BUFFERS either, as there\u0027s no way to reach buffers beyond\\nthat limit.\\n\\nThere\u0027s no issue with registrering a table this large, outside of the\\nfact that it\u0027s pointless to register buffers that cannot be reached, and\\nthat it can trigger this kmalloc() warning for attempting an allocation\\nthat is too large.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring/rsrc: validar el recuento de b\u00fafer con desplazamiento para la clonaci\u00f3n syzbot informa que puede activar un WARN_ON() para un intento de kmalloc() que es demasiado grande: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 Modules linked in: CPU: 0 UID: 0 PID: 6488 Comm: syz-executor312 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 lr : __do_kmalloc_node mm/slub.c:-1 [inline] lr : __kvmalloc_node_noprof+0x3b4/0x640 mm/slub.c:5012 sp : ffff80009cfd7a90 x29: ffff80009cfd7ac0 x28: ffff0000dd52a120 x27: 0000000000412dc0 x26: 0000000000000178 x25: ffff7000139faf70 x24: 0000000000000000 x23: ffff800082f4cea8 x22: 00000000ffffffff x21: 000000010cd004a8 x20: ffff0000d75816c0 x19: ffff0000dd52a000 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008adbe9e4 x15: 0000000000000005 x14: 1ffff000139faf1c x13: 0000000000000000 x12: 0000000000000000 x11: ffff7000139faf21 x10: 0000000000000003 x9 : ffff80008f27b938 x8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 00000000ffffffff x4 : 0000000000400dc0 x3 : 0000000200000000 x2 : 000000010cd004a8 x1 : ffff80008b3ebc40 x0 : 0000000000000001 Call trace: __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 (P) kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline] io_rsrc_data_alloc io_uring/rsrc.c:206 [inline] io_clone_buffers io_uring/rsrc.c:1178 [inline] io_register_clone_buffers+0x484/0xa14 io_uring/rsrc.c:1287 __io_uring_register io_uring/register.c:815 [inline] __do_sys_io_uring_register io_uring/register.c:926 [inline] __se_sys_io_uring_register io_uring/register.c:903 [inline] __arm64_sys_io_uring_register+0x42c/0xea8 io_uring/register.c:903 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Esto se debe a que offset + buffer_count es demasiado grande. El c\u00f3digo de registro solo verifica el recuento total de b\u00faferes, pero dado que la indexaci\u00f3n es una matriz, tambi\u00e9n deber\u00eda verificar offset + count. Esto tampoco puede superar IORING_MAX_REG_BUFFERS, ya que no es posible acceder a b\u00faferes m\u00e1s all\u00e1 de ese l\u00edmite. Registrar una tabla tan grande no presenta ning\u00fan problema, salvo que no tiene sentido registrar b\u00faferes inaccesibles y que puede activar la advertencia de kmalloc() por intentar una asignaci\u00f3n demasiado grande.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0e23ac818f3afb16660b0ba384875d56a7013879\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1d27f11bf02b38c431e49a17dee5c10a2b4c2e28\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.