CVE-2025-38261

{"id": "CVE-2025-38261", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-09T11:15:28.460", "references": [{"url": "https://git.kernel.org/stable/c/69ea599a8dab93a620c92c255be4239a06290a77", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/788aa64c01f1262310b4c1fb827a36df170d86ea", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: save the SR_SUM status over switches\n\nWhen threads/tasks are switched we need to ensure the old execution's\nSR_SUM state is saved and the new thread has the old SR_SUM state\nrestored.\n\nThe issue was seen under heavy load especially with the syz-stress tool\nrunning, with crashes as follows in schedule_tail:\n\nUnable to handle kernel access to user memory without uaccess routines\nat virtual address 000000002749f0d0\nOops [#1]\nModules linked in:\nCPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted\n5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0\nHardware name: riscv-virtio,qemu (DT)\nepc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n ra : task_pid_vnr include/linux/sched.h:1421 [inline]\n ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264\nepc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0\n gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000\n t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0\n s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003\n a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00\n a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba\n s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0\n s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850\n s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8\n s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2\n t5 : ffffffc4043cafba t6 : 0000000000040000\nstatus: 0000000000000120 badaddr: 000000002749f0d0 cause:\n000000000000000f\nCall Trace:\n[<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n[<ffffffe000005570>] ret_from_exception+0x0/0x14\nDumping ftrace buffer:\n (ftrace buffer empty)\n---[ end trace b5f8f9231dc87dda ]---\n\nThe issue comes from the put_user() in schedule_tail\n(kernel/sched/core.c) doing the following:\n\nasmlinkage __visible void schedule_tail(struct task_struct *prev)\n{\n...\n if (current->set_child_tid)\n put_user(task_pid_vnr(current), current->set_child_tid);\n...\n}\n\nthe put_user() macro causes the code sequence to come out as follows:\n\n1:\t__enable_user_access()\n2:\treg = task_pid_vnr(current);\n3:\t*current->set_child_tid = reg;\n4:\t__disable_user_access()\n\nThe problem is that we may have a sleeping function as argument which\ncould clear SR_SUM causing the panic above. This was fixed by\nevaluating the argument of the put_user() macro outside the user-enabled\nsection in commit 285a76bb2cf5 (\"riscv: evaluate put_user() arg before\nenabling user access\")\"\n\nIn order for riscv to take advantage of unsafe_get/put_XXX() macros and\nto avoid the same issue we had with put_user() and sleeping functions we\nmust ensure code flow can go through switch_to() from within a region of\ncode with SR_SUM enabled and come back with SR_SUM still enabled. This\npatch addresses the problem allowing future work to enable full use of\nunsafe_get/put_XXX() macros without needing to take a CSR bit flip cost\non every access. Make switch_to() save and restore SR_SUM."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: guardar el estado SR_SUM durante los cambios Cuando se cambian los subprocesos o las tareas, debemos asegurarnos de que se guarde el estado SR_SUM de la ejecuci\u00f3n anterior y que el nuevo subproceso tenga el estado SR_SUM anterior restaurado. El problema se observ\u00f3 bajo carga pesada, especialmente con la herramienta syz-stress ejecut\u00e1ndose, con fallos como los siguientes en schedule_tail: No se puede manejar el acceso del kernel a la memoria del usuario sin rutinas uaccess en la direcci\u00f3n virtual 000000002749f0d0 Oops [#1] M\u00f3dulos vinculados: CPU: 1 PID: 4875 Comm: syz-executor.0 No contaminado 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0 Nombre del hardware: riscv-virtio,qemu (DT) epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 ra : task_pid_vnr include/linux/sched.h:1421 [inline] ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264 epc: ffffffe00008c8b0 ra: ffffffe00008c8ae sp: ffffffe025d17ec0 gp: ffffffe005d25378 tp: ffffffe00f0d0000 t0: 0000000000000000 t1: 0000000000000001 t2: 00000000000f4240 s0: ffffffe025d17ee0 s1: 000000002749f0d0 a0: 00000000000002a a1: 000000000000003 a2: 1ffffffc0cfac500 a3: ffffffe0000c80cc a4: 5ae9db91c19bbe00 a5: 0000000000000000 a6: 0000000000f00000 a7: ffffffe000082eba s2: 0000000000040000 s3: ffffffe00eef96c0 s4: ffffffe022c77fe0 s5: 0000000000004000 s6: ffffffe067d74e00 s7: ffffffe067d74850 s8: ffffffe067d73e18 s9: ffffffe067d74e00 s10: ffffffe00eef96e8 s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2 t5 : ffffffc4043cafba t6 : 0000000000040000 estado: 0000000000000120 direcci\u00f3n incorrecta: 000000002749f0d0 causa: 000000000000000f Seguimiento de llamadas: [] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 [] ret_from_exception+0x0/0x14 Volcando buffer ftrace: (ftrace buffer vac\u00edo) ---[ fin de seguimiento b5f8f9231dc87dda ]--- El problema proviene de put_user() en schedule_tail (kernel/sched/core.c) que hace lo siguiente: asmlinkage __visible void schedule_tail(struct task_struct *prev) { ... if (current-&gt;set_child_tid) put_user(task_pid_vnr(current), current-&gt;set_child_tid); ... } la macro put_user() hace que la secuencia de c\u00f3digo salga de la siguiente manera: 1: __enable_user_access() 2: reg = task_pid_vnr(current); 3: *current-&gt;set_child_tid = reg; 4: __disable_user_access(). El problema radica en que podr\u00edamos tener una funci\u00f3n inactiva como argumento que podr\u00eda borrar SR_SUM, causando el p\u00e1nico mencionado. Esto se solucion\u00f3 evaluando el argumento de la macro put_user() fuera de la secci\u00f3n habilitada por el usuario en el commit 285a76bb2cf5 (\"riscv: evaluar el argumento put_user() antes de habilitar el acceso del usuario\"). Para que riscv aproveche las macros unsafe_get/put_XXX() y evite el mismo problema que tuvimos con put_user() y las funciones inactivas, debemos asegurar que el flujo de c\u00f3digo pueda pasar por switch_to() desde una regi\u00f3n de c\u00f3digo con SR_SUM habilitado y regresar con SR_SUM a\u00fan habilitado. Este parche soluciona el problema, lo que permitir\u00e1 que en trabajos futuros se habilite el uso completo de las macros unsafe_get/put_XXX() sin necesidad de aplicar un coste de cambio de bit CSR en cada acceso. Haga que switch_to() guarde y restaure SR_SUM."}], "lastModified": "2025-11-20T20:14:50.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFF2A66B-BE62-44E4-9625-6925863DFD4A", "versionEndExcluding": "6.15.5", "versionStartIncluding": "4.15"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}