ghsa-826j-xvc4-rfgh
Vulnerability from github
Published
2025-07-10 09:32
Modified
2025-07-10 09:32
Details

In the Linux kernel, the following vulnerability has been resolved:

virtio-pci: Fix result size returned for the admin command completion

The result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes larger than the actual result data size. This occurs because the result_sg_size field of the command is filled with the result length from virtqueue_get_buf(), which includes both the data size and an additional 8 bytes of status.

This oversized result size causes two issues: 1. The state transferred to the destination includes 8 bytes of extra data at the end. 2. The allocated buffer in the kernel may be smaller than the returned size, leading to failures when reading beyond the allocated size.

The commit fixes this by subtracting the status size from the result of virtqueue_get_buf().

This fix has been tested through live migrations with virtio-net, virtio-net-transitional, and virtio-blk devices.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38314"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T08:15:30Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Fix result size returned for the admin command completion\n\nThe result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes\nlarger than the actual result data size. This occurs because the\nresult_sg_size field of the command is filled with the result length\nfrom virtqueue_get_buf(), which includes both the data size and an\nadditional 8 bytes of status.\n\nThis oversized result size causes two issues:\n1. The state transferred to the destination includes 8 bytes of extra\n   data at the end.\n2. The allocated buffer in the kernel may be smaller than the returned\n   size, leading to failures when reading beyond the allocated size.\n\nThe commit fixes this by subtracting the status size from the result of\nvirtqueue_get_buf().\n\nThis fix has been tested through live migrations with virtio-net,\nvirtio-net-transitional, and virtio-blk devices.",
  "id": "GHSA-826j-xvc4-rfgh",
  "modified": "2025-07-10T09:32:30Z",
  "published": "2025-07-10T09:32:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38314"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/920b6720bb63893b81516c0c45884a8350f9e4bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ef41ebf787fcbde99ac404ae473f8467641f983"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.