ghsa-6gcc-wg3c-rg44
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

libnvdimm/labels: Fix divide error in nd_label_data_init()

If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver:

Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm]

Code and flow:

1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver):

drivers/cxl/pmem.c: .config_size = mds->lsa_size,

3) max_xfer is set to zero (nvdimm driver):

drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size);

4) A subsequent DIV_ROUND_UP() causes a division by zero:

drivers/nvdimm/label.c: / Make our initial read size a multiple of max_xfer size / drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size);

Fix this by checking the config size parameter by extending an existing check.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38072"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T10:15:40Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibnvdimm/labels: Fix divide error in nd_label_data_init()\n\nIf a faulty CXL memory device returns a broken zero LSA size in its\nmemory device information (Identify Memory Device (Opcode 4000h), CXL\nspec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm\ndriver:\n\n Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm]\n\nCode and flow:\n\n1) CXL Command 4000h returns LSA size = 0\n2) config_size is assigned to zero LSA size (CXL pmem driver):\n\ndrivers/cxl/pmem.c:             .config_size = mds-\u003elsa_size,\n\n3) max_xfer is set to zero (nvdimm driver):\n\ndrivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd-\u003ensarea.max_xfer, config_size);\n\n4) A subsequent DIV_ROUND_UP() causes a division by zero:\n\ndrivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */\ndrivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer,\ndrivers/nvdimm/label.c-                 config_size);\n\nFix this by checking the config size parameter by extending an\nexisting check.",
  "id": "GHSA-6gcc-wg3c-rg44",
  "modified": "2025-06-18T12:30:34Z",
  "published": "2025-06-18T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38072"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d1e1efad1cf049e888bf175a5c6be85d792620c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2bd4a938d2eda96ab7288b8fa5aae84a1de8c4ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/396c46d3f59a18ebcc500640e749f16e197d472b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db1aef51b8e66a77f76b1250b914589c31a0a0ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e14347f647ca6d76fe1509b6703e340f2d5e2716"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea3d95e05e97ea20fd6513f647393add16fce3b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef1d3455bbc1922f94a91ed58d3d7db440652959"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f49c337037df029440a8390380dd35d2cf5924d3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.