fkie_cve-2025-38344
Vulnerability from fkie_nvd
Published
2025-07-10 09:15
Modified
2025-07-10 13:17
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort cases. Boot log of ACPI cache leak is as follows: [ 0.352414] ACPI: Added _OSI(Module Device) [ 0.353182] ACPI: Added _OSI(Processor Device) [ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) [ 0.356028] ACPI: Unable to start the ACPI Interpreter [ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects [ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #10 [ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.361873] Call Trace: [ 0.362243] ? dump_stack+0x5c/0x81 [ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 [ 0.363296] ? acpi_os_delete_cache+0xa/0x10 [ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.364000] ? acpi_terminate+0xa/0x14 [ 0.364000] ? acpi_init+0x2af/0x34f [ 0.364000] ? __class_create+0x4c/0x80 [ 0.364000] ? video_setup+0x7f/0x7f [ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.364000] ? do_one_initcall+0x4e/0x1a0 [ 0.364000] ? kernel_init_freeable+0x189/0x20a [ 0.364000] ? rest_init+0xc0/0xc0 [ 0.364000] ? kernel_init+0xa/0x100 [ 0.364000] ? ret_from_fork+0x25/0x30 I analyzed this memory leak in detail. I found that “Acpi-State” cache and “Acpi-Parse” cache were merged because the size of cache objects was same slab cache size. I finally found “Acpi-Parse” cache and “Acpi-parse_ext” cache were leaked using SLAB_NEVER_MERGE flag in kmem_cache_create() function. Real ACPI cache leak point is as follows: [ 0.360101] ACPI: Added _OSI(Module Device) [ 0.360101] ACPI: Added _OSI(Processor Device) [ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) [ 0.364016] ACPI: Unable to start the ACPI Interpreter [ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects [ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.372000] Call Trace: [ 0.372000] ? dump_stack+0x5c/0x81 [ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? acpi_os_delete_cache+0xa/0x10 [ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b [ 0.372000] ? acpi_terminate+0xa/0x14 [ 0.372000] ? acpi_init+0x2af/0x34f [ 0.372000] ? __class_create+0x4c/0x80 [ 0.372000] ? video_setup+0x7f/0x7f [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? do_one_initcall+0x4e/0x1a0 [ 0.372000] ? kernel_init_freeable+0x189/0x20a [ 0.372000] ? rest_init+0xc0/0xc0 [ 0.372000] ? kernel_init+0xa/0x100 [ 0.372000] ? ret_from_fork+0x25/0x30 [ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects [ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.392000] Call Trace: [ 0.392000] ? dump_stack+0x5c/0x81 [ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.392000] ? acpi_os_delete_cache+0xa/0x10 [ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.392000] ? acpi_terminate+0xa/0x14 [ 0.392000] ? acpi_init+0x2af/0x3 ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0a119fdaed67566aa3e0b5222dced4d08bbce463
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/198c2dab022e5e94a99fff267b669d693bc7bb49
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1e0e629e88b1f7751ce69bf70cda6d1598d45271
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1fee4324b5660de080cefc3fc91c371543bdb8f6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3e0c59180ec83bdec43b3d3482cff23d86d380d0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/41afebc9a0762aafc35d2df88f4e1b798155a940
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/960236150cd3f08e13b397dd5ae4ccf7a2986c00
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bed18f0bdcd6737a938264a59d67923688696fc4
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi parse and parseext cache leaks\n\nACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5\n\nI\u0027m Seunghun Han, and I work for National Security Research Institute of\nSouth Korea.\n\nI have been doing a research on ACPI and found an ACPI cache leak in ACPI\nearly abort cases.\n\nBoot log of ACPI cache leak is as follows:\n[    0.352414] ACPI: Added _OSI(Module Device)\n[    0.353182] ACPI: Added _OSI(Processor Device)\n[    0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)\n[    0.353182] ACPI: Added _OSI(Processor Aggregator Device)\n[    0.356028] ACPI: Unable to start the ACPI Interpreter\n[    0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n[    0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects\n[    0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #10\n[    0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.361873] Call Trace:\n[    0.362243]  ? dump_stack+0x5c/0x81\n[    0.362591]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.362944]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.363296]  ? acpi_os_delete_cache+0xa/0x10\n[    0.363646]  ? acpi_ut_delete_caches+0x6d/0x7b\n[    0.364000]  ? acpi_terminate+0xa/0x14\n[    0.364000]  ? acpi_init+0x2af/0x34f\n[    0.364000]  ? __class_create+0x4c/0x80\n[    0.364000]  ? video_setup+0x7f/0x7f\n[    0.364000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.364000]  ? do_one_initcall+0x4e/0x1a0\n[    0.364000]  ? kernel_init_freeable+0x189/0x20a\n[    0.364000]  ? rest_init+0xc0/0xc0\n[    0.364000]  ? kernel_init+0xa/0x100\n[    0.364000]  ? ret_from_fork+0x25/0x30\n\nI analyzed this memory leak in detail. I found that \u201cAcpi-State\u201d cache and\n\u201cAcpi-Parse\u201d cache were merged because the size of cache objects was same\nslab cache size.\n\nI finally found \u201cAcpi-Parse\u201d cache and \u201cAcpi-parse_ext\u201d cache were leaked\nusing SLAB_NEVER_MERGE flag in kmem_cache_create() function.\n\nReal ACPI cache leak point is as follows:\n[    0.360101] ACPI: Added _OSI(Module Device)\n[    0.360101] ACPI: Added _OSI(Processor Device)\n[    0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)\n[    0.361043] ACPI: Added _OSI(Processor Aggregator Device)\n[    0.364016] ACPI: Unable to start the ACPI Interpreter\n[    0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n[    0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects\n[    0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #8\n[    0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.372000] Call Trace:\n[    0.372000]  ? dump_stack+0x5c/0x81\n[    0.372000]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.372000]  ? acpi_os_delete_cache+0xa/0x10\n[    0.372000]  ? acpi_ut_delete_caches+0x56/0x7b\n[    0.372000]  ? acpi_terminate+0xa/0x14\n[    0.372000]  ? acpi_init+0x2af/0x34f\n[    0.372000]  ? __class_create+0x4c/0x80\n[    0.372000]  ? video_setup+0x7f/0x7f\n[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.372000]  ? do_one_initcall+0x4e/0x1a0\n[    0.372000]  ? kernel_init_freeable+0x189/0x20a\n[    0.372000]  ? rest_init+0xc0/0xc0\n[    0.372000]  ? kernel_init+0xa/0x100\n[    0.372000]  ? ret_from_fork+0x25/0x30\n[    0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects\n[    0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #8\n[    0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.392000] Call Trace:\n[    0.392000]  ? dump_stack+0x5c/0x81\n[    0.392000]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.392000]  ? acpi_os_delete_cache+0xa/0x10\n[    0.392000]  ? acpi_ut_delete_caches+0x6d/0x7b\n[    0.392000]  ? acpi_terminate+0xa/0x14\n[    0.392000]  ? acpi_init+0x2af/0x3\n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ACPICA: se corrigen las fugas de cach\u00e9 de ACPI parse y parseext. Confirmaci\u00f3n de ACPICA 8829e70e1360c81e7a5a901b5d4f48330e021ea5. Soy Seunghun Han y trabajo para el Instituto de Investigaci\u00f3n de Seguridad Nacional de Corea del Sur. He estado investigando sobre ACPI y he encontrado una fuga de cach\u00e9 en casos de aborto temprano de ACPI. El registro de arranque de la p\u00e9rdida de cach\u00e9 ACPI es el siguiente: [0.352414] ACPI: _OSI(Dispositivo de m\u00f3dulo) a\u00f1adido [0.353182] ACPI: _OSI(Dispositivo de procesador) a\u00f1adido [0.353182] ACPI: _OSI(Extensiones 3.0 _SCP) a\u00f1adido [0.353182] ACPI: _OSI(Dispositivo agregador de procesador) a\u00f1adido [0.356028] ACPI: No se puede iniciar el int\u00e9rprete ACPI [0.356799] Error ACPI: No se pudo eliminar el controlador SCI (20170303/evmisc-281) [0.360215] kmem_cache_destroy Estado Acpi: La cach\u00e9 Slab todav\u00eda tiene objetos [0.360648] CPU: 0 PID: 1 Comm: swapper/0 Contaminado: GW 4.12.0-rc4-next-20170608+ #10 [ 0.361273] Nombre del hardware: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.361873] Rastreo de llamadas: [ 0.362243] ? dump_stack+0x5c/0x81 [ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 [ 0.363296] ? acpi_os_delete_cache+0xa/0x10 [ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.364000] ? acpi_terminate+0xa/0x14 [ 0.364000] ? acpi_init+0x2af/0x34f [ 0.364000] ? __class_create+0x4c/0x80 [ 0.364000] ? video_setup+0x7f/0x7f [ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.364000] ? do_one_initcall+0x4e/0x1a0 [ 0.364000] ? kernel_init_freeable+0x189/0x20a [ 0.364000] ? rest_init+0xc0/0xc0 [ 0.364000] ? kernel_init+0xa/0x100 [ 0.364000] ? ret_from_fork+0x25/0x30 Analic\u00e9 esta fuga de memoria en detalle. Descubr\u00ed que las cach\u00e9s \"Acpi-State\" y \"Acpi-Parse\" se fusionaron porque el tama\u00f1o de los objetos de la cach\u00e9 era el mismo que el de la cach\u00e9 slab. Finalmente, descubr\u00ed que las cach\u00e9s \"Acpi-Parse\" y \"Acpi-parse_ext\" se filtraron mediante el indicador SLAB_NEVER_MERGE de la funci\u00f3n kmem_cache_create(). El punto de fuga de cach\u00e9 ACPI real es el siguiente: [0.360101] ACPI: _OSI(Dispositivo de m\u00f3dulo) a\u00f1adido [0.360101] ACPI: _OSI(Dispositivo de procesador) a\u00f1adido [0.360101] ACPI: _OSI(Extensiones 3.0 _SCP) a\u00f1adido [0.361043] ACPI: _OSI(Dispositivo agregador de procesador) a\u00f1adido [0.364016] ACPI: No se puede iniciar el int\u00e9rprete ACPI [0.365061] Error ACPI: No se pudo eliminar el controlador SCI (20170303/evmisc-281) [0.368174] kmem_cache_destroy Acpi-Parse: La cach\u00e9 Slab a\u00fan tiene objetos [0.369332] CPU: 1 PID: 1 Comm: swapper/0 Contaminado: GW 4.12.0-rc4-next-20170608+ #8 [ 0.371256] Nombre del hardware: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.372000] Rastreo de llamadas: [ 0.372000] ? dump_stack+0x5c/0x81 [ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? acpi_os_delete_cache+0xa/0x10 [ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b [0.372000] ? acpi_terminate+0xa/0x14 [0.372000] ? acpi_init+0x2af/0x34f [0.372000] ? __class_create+0x4c/0x80 [0.372000] ? video_setup+0x7f/0x7f [0.372000] ? acpi_sleep_proc_init+0x27/0x27 [0.372000] ? do_one_initcall+0x4e/0x1a0 [0.372000] ? kernel_init_freeable+0x189/0x20a [0.372000] ? rest_init+0xc0/0xc0 [ 0.372000] ? kernel_init+0xa/0x100 [ 0.372000] ? ret_from_fork+0x25/0x30 [ 0.388039] kmem_cache_destroy Acpi-parse_ext: La cach\u00e9 Slab a\u00fan tiene objetos [ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Contaminado: GW 4.12.0-rc4-next-20170608+ #8 [ 0.390557] Nombre del hardware: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.392000] Rastreo de llamadas: [ 0.392000] ? dump_stack+0x5c/0x81 [ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.392000] ? acpi_os_delete_cache+0xa/0x10 [ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.392000] ? acpi_terminate+0xa/0x14 [ 0.392000] ? acpi_init+0x2af/0x3 ---truncado---"
    }
  ],
  "id": "CVE-2025-38344",
  "lastModified": "2025-07-10T13:17:30.017",
  "metrics": {},
  "published": "2025-07-10T09:15:29.283",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0a119fdaed67566aa3e0b5222dced4d08bbce463"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/198c2dab022e5e94a99fff267b669d693bc7bb49"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1e0e629e88b1f7751ce69bf70cda6d1598d45271"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1fee4324b5660de080cefc3fc91c371543bdb8f6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3e0c59180ec83bdec43b3d3482cff23d86d380d0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/41afebc9a0762aafc35d2df88f4e1b798155a940"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/960236150cd3f08e13b397dd5ae4ccf7a2986c00"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/bed18f0bdcd6737a938264a59d67923688696fc4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.