fkie_cve-2025-38427
Vulnerability from fkie_nvd
Published
2025-07-25 15:15
Modified
2025-07-25 15:29
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: video: screen_info: Relocate framebuffers behind PCI bridges Apply PCI host-bridge window offsets to screen_info framebuffers. Fixes invalid access to I/O memory. Resources behind a PCI host bridge can be relocated by a certain offset in the kernel's CPU address range used for I/O. The framebuffer memory range stored in screen_info refers to the CPU addresses as seen during boot (where the offset is 0). During boot up, firmware may assign a different memory offset to the PCI host bridge and thereby relocating the framebuffer address of the PCI graphics device as seen by the kernel. The information in screen_info must be updated as well. The helper pcibios_bus_to_resource() performs the relocation of the screen_info's framebuffer resource (given in PCI bus addresses). The result matches the I/O-memory resource of the PCI graphics device (given in CPU addresses). As before, we store away the information necessary to later update the information in screen_info itself. Commit 78aa89d1dfba ("firmware/sysfb: Update screen_info for relocated EFI framebuffers") added the code for updating screen_info. It is based on similar functionality that pre-existed in efifb. Efifb uses a pointer to the PCI resource, while the newer code does a memcpy of the region. Hence efifb sees any updates to the PCI resource and avoids the issue. v3: - Only use struct pci_bus_region for PCI bus addresses (Bjorn) - Clarify address semantics in commit messages and comments (Bjorn) v2: - Fixed tags (Takashi, Ivan) - Updated information on efifb
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2f29b5c231011b94007d2c8a6d793992f2275db1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5c70e3ad85d2890d8af375333699429de26327f2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/aeda386d86d79269a08f470dbdc53d13a91e51fa
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cc3cc41ed67054a03134bea42408c720eec0fa04
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: screen_info: Relocate framebuffers behind PCI bridges\n\nApply PCI host-bridge window offsets to screen_info framebuffers. Fixes\ninvalid access to I/O memory.\n\nResources behind a PCI host bridge can be relocated by a certain offset\nin the kernel\u0027s CPU address range used for I/O. The framebuffer memory\nrange stored in screen_info refers to the CPU addresses as seen during\nboot (where the offset is 0). During boot up, firmware may assign a\ndifferent memory offset to the PCI host bridge and thereby relocating\nthe framebuffer address of the PCI graphics device as seen by the kernel.\nThe information in screen_info must be updated as well.\n\nThe helper pcibios_bus_to_resource() performs the relocation of the\nscreen_info\u0027s framebuffer resource (given in PCI bus addresses). The\nresult matches the I/O-memory resource of the PCI graphics device (given\nin CPU addresses). As before, we store away the information necessary to\nlater update the information in screen_info itself.\n\nCommit 78aa89d1dfba (\"firmware/sysfb: Update screen_info for relocated\nEFI framebuffers\") added the code for updating screen_info. It is based\non similar functionality that pre-existed in efifb. Efifb uses a pointer\nto the PCI resource, while the newer code does a memcpy of the region.\nHence efifb sees any updates to the PCI resource and avoids the issue.\n\nv3:\n- Only use struct pci_bus_region for PCI bus addresses (Bjorn)\n- Clarify address semantics in commit messages and comments (Bjorn)\nv2:\n- Fixed tags (Takashi, Ivan)\n- Updated information on efifb"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: video: screen_info: Reubicar framebuffers detr\u00e1s de puentes PCI. Aplicar desplazamientos de ventana del puente host PCI a los framebuffers de screen_info. Corrige el acceso no v\u00e1lido a la memoria de E/S. Los recursos detr\u00e1s de un puente host PCI se pueden reubicar mediante un desplazamiento determinado en el rango de direcciones de CPU del kernel utilizado para E/S. El rango de memoria del framebuffer almacenado en screen_info se refiere a las direcciones de CPU tal como se ven durante el arranque (donde el desplazamiento es 0). Durante el arranque, el firmware puede asignar un desplazamiento de memoria diferente al puente host PCI y, por lo tanto, reubicar la direcci\u00f3n del framebuffer del dispositivo gr\u00e1fico PCI tal como lo ve el kernel. La informaci\u00f3n en screen_info tambi\u00e9n debe actualizarse. El asistente pcibios_bus_to_resource() realiza la reubicaci\u00f3n del recurso framebuffer de screen_info (indicado en direcciones de bus PCI). El resultado coincide con el recurso de memoria de E/S del dispositivo gr\u00e1fico PCI (indicado en direcciones de CPU). Como antes, almacenamos la informaci\u00f3n necesaria para actualizarla posteriormente en screen_info. El commit 78aa89d1dfba (\"firmware/sysfb: Update screen_info for relocated EFI framebuffers\" agreg\u00f3 el c\u00f3digo para actualizar screen_info. Se basa en una funcionalidad similar a la que ya exist\u00eda en efifb. Efifb usa un puntero al recurso PCI, mientras que el c\u00f3digo m\u00e1s reciente realiza un memcpy de la regi\u00f3n. Por lo tanto, efifb detecta cualquier actualizaci\u00f3n del recurso PCI y evita el problema. v3: - Usar struct pci_bus_region solo para direcciones de bus PCI (Bjorn) - Aclarar la sem\u00e1ntica de las direcciones en los mensajes y comentarios de la confirmaci\u00f3n (Bjorn) v2: - Etiquetas corregidas (Takashi, Ivan) - Informaci\u00f3n actualizada sobre efifb"
    }
  ],
  "id": "CVE-2025-38427",
  "lastModified": "2025-07-25T15:29:19.837",
  "metrics": {},
  "published": "2025-07-25T15:15:27.623",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2f29b5c231011b94007d2c8a6d793992f2275db1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5c70e3ad85d2890d8af375333699429de26327f2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/aeda386d86d79269a08f470dbdc53d13a91e51fa"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/cc3cc41ed67054a03134bea42408c720eec0fa04"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.