fkie_cve-2025-38086
Vulnerability from fkie_nvd
Published
2025-06-28 08:15
Modified
2025-06-30 18:38
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialised. Once this happens the uninitialised "buff" is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of "buff". To fix this we should check the return value of control_read() and return early on error.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/119766de4930ff40db9f36b960cb53b0c400e81b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/33163c68d2e3061fa3935b5f0a1867958b1cdbd2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4da7fcc098218ff92b2e83a43f545c02f714cedd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6bd2569d0b2f918e9581f744df0263caf73ee76c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9a350f30d65197354706b7759b5c89d6c267b1a9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ad0452c0277b816a435433cca601304cfac7c21
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9da3e442714f7f4393ff01c265c4959c03e88c2f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ch9200: fix uninitialised access during mii_nway_restart\n\nIn mii_nway_restart() the code attempts to call\nmii-\u003emdio_read which is ch9200_mdio_read(). ch9200_mdio_read()\nutilises a local buffer called \"buff\", which is initialised\nwith control_read(). However \"buff\" is conditionally\ninitialised inside control_read():\n\n        if (err == size) {\n                memcpy(data, buf, size);\n        }\n\nIf the condition of \"err == size\" is not met, then\n\"buff\" remains uninitialised. Once this happens the\nuninitialised \"buff\" is accessed and returned during\nch9200_mdio_read():\n\n        return (buff[0] | buff[1] \u003c\u003c 8);\n\nThe problem stems from the fact that ch9200_mdio_read()\nignores the return value of control_read(), leading to\nuinit-access of \"buff\".\n\nTo fix this we should check the return value of\ncontrol_read() and return early on error."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ch9200: correcci\u00f3n del acceso no inicializado durante mii_nway_restart. En mii_nway_restart(), el c\u00f3digo intenta llamar a mii-\u0026gt;mdio_read, que es ch9200_mdio_read(). ch9200_mdio_read() utiliza un b\u00fafer local llamado \"buff\", que se inicializa con control_read(). Sin embargo, \"buff\" se inicializa condicionalmente dentro de control_read(): if (err == size) { memcpy(data, buf, size); } Si no se cumple la condici\u00f3n \"err == size\", \"buff\" permanece sin inicializar. Una vez que esto sucede, se accede al \"buff\" no inicializado y se devuelve durante ch9200_mdio_read(): return (buff[0] | buff[1] \u0026lt;\u0026lt; 8); El problema se debe a que ch9200_mdio_read() ignora el valor de retorno de control_read(), lo que provoca un acceso uinit a \"buff\". Para solucionarlo, debemos comprobar el valor de retorno de control_read() y devolver el error antes de tiempo."
    }
  ],
  "id": "CVE-2025-38086",
  "lastModified": "2025-06-30T18:38:23.493",
  "metrics": {},
  "published": "2025-06-28T08:15:24.997",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/119766de4930ff40db9f36b960cb53b0c400e81b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/33163c68d2e3061fa3935b5f0a1867958b1cdbd2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4da7fcc098218ff92b2e83a43f545c02f714cedd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6bd2569d0b2f918e9581f744df0263caf73ee76c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9a350f30d65197354706b7759b5c89d6c267b1a9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9ad0452c0277b816a435433cca601304cfac7c21"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9da3e442714f7f4393ff01c265c4959c03e88c2f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.