ghsa-28hg-q873-p4hv
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
vgacon: Add check for vc_origin address range in vgacon_scroll()
Our in-house Syzkaller reported the following BUG (twice), which we believed was the same issue with [1]:
================================================================== BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364 print_report+0xba/0x280 mm/kasan/report.c:475 kasan_report+0xa9/0xe0 mm/kasan/report.c:588 vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 vcs_write_buf_noattr drivers/tty/vt/vc_screen.c:493 [inline] vcs_write+0x586/0x840 drivers/tty/vt/vc_screen.c:690 vfs_write+0x219/0x960 fs/read_write.c:584 ksys_write+0x12e/0x260 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 ...
Allocated by task 5614: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 _kasankmalloc mm/kasan/common.c:374 [inline] kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:201 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc+0x62/0x140 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] vc_do_resize+0x235/0xf40 drivers/tty/vt/vt.c:1193 vgacon_adjust_height+0x2d4/0x350 drivers/video/console/vgacon.c:1007 vgacon_font_set+0x1f7/0x240 drivers/video/console/vgacon.c:1031 con_font_set drivers/tty/vt/vt.c:4628 [inline] con_font_op+0x4da/0xa20 drivers/tty/vt/vt.c:4675 vt_k_ioctl+0xa10/0xb30 drivers/tty/vt/vt_ioctl.c:474 vt_ioctl+0x14c/0x1870 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x655/0x1510 drivers/tty/tty_io.c:2779 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0x12d/0x190 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2
Last potentially related work creation: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713 netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802 __sock_release+0xb5/0x270 net/socket.c:663 sock_close+0x1e/0x30 net/socket.c:1425 __fput+0x408/0xab0 fs/file_table.c:384 __fput_sync+0x4c/0x60 fs/file_table.c:465 __do_sys_close fs/open.c:1580 [inline] __se_sys_close+0x68/0xd0 fs/open.c:1565 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2
Second to last potentially related work creation: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713 netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802 __sock_release+0xb5/0x270 net/socket.c:663 sock_close+0x1e/0x30 net/socket.c:1425 __fput+0x408/0xab0 fs/file_table.c:384 task_work_run+0x154/0x240 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:45 [inline] do_exit+0x8e5/0x1320 kernel/exit.c:874 do_group_exit+0xcd/0x280 kernel/exit.c:1023 get_signal+0x1675/0x1850 kernel/signal.c:2905 arch_do_signal_or_restart+0x80/0x3b0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x1b3/0x1e0 kernel/entry/common.c:218 do_syscall_64+0x66/0x110 arch/x86/ent ---truncated---
{
"affected": [],
"aliases": [
"CVE-2025-38213"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T14:15:29Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvgacon: Add check for vc_origin address range in vgacon_scroll()\n\nOur in-house Syzkaller reported the following BUG (twice), which we\nbelieved was the same issue with [1]:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740\nRead of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393\n...\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106\n print_address_description.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364\n print_report+0xba/0x280 mm/kasan/report.c:475\n kasan_report+0xa9/0xe0 mm/kasan/report.c:588\n vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740\n vcs_write_buf_noattr drivers/tty/vt/vc_screen.c:493 [inline]\n vcs_write+0x586/0x840 drivers/tty/vt/vc_screen.c:690\n vfs_write+0x219/0x960 fs/read_write.c:584\n ksys_write+0x12e/0x260 fs/read_write.c:639\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n ...\n \u003c/TASK\u003e\n\nAllocated by task 5614:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n ____kasan_kmalloc mm/kasan/common.c:374 [inline]\n __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383\n kasan_kmalloc include/linux/kasan.h:201 [inline]\n __do_kmalloc_node mm/slab_common.c:1007 [inline]\n __kmalloc+0x62/0x140 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n kzalloc include/linux/slab.h:721 [inline]\n vc_do_resize+0x235/0xf40 drivers/tty/vt/vt.c:1193\n vgacon_adjust_height+0x2d4/0x350 drivers/video/console/vgacon.c:1007\n vgacon_font_set+0x1f7/0x240 drivers/video/console/vgacon.c:1031\n con_font_set drivers/tty/vt/vt.c:4628 [inline]\n con_font_op+0x4da/0xa20 drivers/tty/vt/vt.c:4675\n vt_k_ioctl+0xa10/0xb30 drivers/tty/vt/vt_ioctl.c:474\n vt_ioctl+0x14c/0x1870 drivers/tty/vt/vt_ioctl.c:752\n tty_ioctl+0x655/0x1510 drivers/tty/tty_io.c:2779\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:871 [inline]\n __se_sys_ioctl+0x12d/0x190 fs/ioctl.c:857\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nLast potentially related work creation:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n __kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492\n __call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713\n netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802\n __sock_release+0xb5/0x270 net/socket.c:663\n sock_close+0x1e/0x30 net/socket.c:1425\n __fput+0x408/0xab0 fs/file_table.c:384\n __fput_sync+0x4c/0x60 fs/file_table.c:465\n __do_sys_close fs/open.c:1580 [inline]\n __se_sys_close+0x68/0xd0 fs/open.c:1565\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nSecond to last potentially related work creation:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n __kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492\n __call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713\n netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802\n __sock_release+0xb5/0x270 net/socket.c:663\n sock_close+0x1e/0x30 net/socket.c:1425\n __fput+0x408/0xab0 fs/file_table.c:384\n task_work_run+0x154/0x240 kernel/task_work.c:239\n exit_task_work include/linux/task_work.h:45 [inline]\n do_exit+0x8e5/0x1320 kernel/exit.c:874\n do_group_exit+0xcd/0x280 kernel/exit.c:1023\n get_signal+0x1675/0x1850 kernel/signal.c:2905\n arch_do_signal_or_restart+0x80/0x3b0 arch/x86/kernel/signal.c:310\n exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x1b3/0x1e0 kernel/entry/common.c:218\n do_syscall_64+0x66/0x110 arch/x86/ent\n---truncated---",
"id": "GHSA-28hg-q873-p4hv",
"modified": "2025-07-04T15:31:09Z",
"published": "2025-07-04T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38213"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f4040a5855a59e48296f1b5a7cc0fceea3195b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/499b77fa1416a85fee106e60b240e912bca10cb8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/843de5fbfe277e30fb333a7fa033b684c37829ac"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/864f9963ec6b4b76d104d595ba28110b87158003"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9928ba7de39793a1c7c77b8b9e6ecf6209110311"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf9c07864765864b968e59c7b72db91130d621ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e44532b1c358bfd2c4c7dc28fd01d47fef09ac70"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f20fd54af4e1077fdbca4dd98375a4d1d941e50d"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.