CVE-2025-38493

{"id": "CVE-2025-38493", "cveTags": [], "metrics": {}, "published": "2025-07-28T12:15:31.483", "references": [{"url": "https://git.kernel.org/stable/c/7bb9ea515cda027c9e717e27fefcf34f092e7c41", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/823d798900481875ba6c68217af028c5ffd2976b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/85a3bce695b361d85fc528e6fbb33e4c8089c806", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix crash in timerlat_dump_stack()\n\nWe have observed kernel panics when using timerlat with stack saving,\nwith the following dmesg output:\n\nmemcpy: detected buffer overflow: 88 byte write of buffer size 0\nWARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0\nCPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)\nCall Trace:\n <TASK>\n ? trace_buffer_lock_reserve+0x2a/0x60\n __fortify_panic+0xd/0xf\n __timerlat_dump_stack.cold+0xd/0xd\n timerlat_dump_stack.part.0+0x47/0x80\n timerlat_fd_read+0x36d/0x390\n vfs_read+0xe2/0x390\n ? syscall_exit_to_user_mode+0x1d5/0x210\n ksys_read+0x73/0xe0\n do_syscall_64+0x7b/0x160\n ? exc_page_fault+0x7e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n__timerlat_dump_stack() constructs the ftrace stack entry like this:\n\nstruct stack_entry *entry;\n...\nmemcpy(&entry->caller, fstack->calls, size);\nentry->size = fstack->nr_entries;\n\nSince commit e7186af7fb26 (\"tracing: Add back FORTIFY_SOURCE logic to\nkernel_stack event structure\"), struct stack_entry marks its caller\nfield with __counted_by(size). At the time of the memcpy, entry->size\ncontains garbage from the ringbuffer, which under some circumstances is\nzero, triggering a kernel panic by buffer overflow.\n\nPopulate the size field before the memcpy so that the out-of-bounds\ncheck knows the correct size. This is analogous to\n__ftrace_trace_stack()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tracing/osnoise: corrige fallo en timerlat_dump_stack() Hemos observado p\u00e1nicos en el kernel al usar timerlat con guardado de pila, con la siguiente salida de dmesg: memcpy: desbordamiento de b\u00fafer detectado: escritura de 88 bytes de tama\u00f1o de b\u00fafer 0 WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0 CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy) Call Trace: ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e __timerlat_dump_stack() construye la entrada de la pila ftrace de la siguiente manera: struct stack_entry *entry; ... memcpy(&amp;entry-&gt;caller, fstack-&gt;calls, size); entry-&gt;size = fstack-&gt;nr_entries; Desde el commit e7186af7fb26 (\"rastreo: Agregar la l\u00f3gica de FORTIFY_SOURCE a la estructura de eventos kernel_stack\"), struct stack_entry marca su campo de llamada con __counted_by(size). Al ejecutar memcpy, entry-&gt;size contiene informaci\u00f3n no v\u00e1lida del b\u00fafer de anillo, que en algunas circunstancias es cero, lo que desencadena un p\u00e1nico del n\u00facleo por desbordamiento del b\u00fafer. Rellene el campo de tama\u00f1o antes de ejecutar memcpy para que la comprobaci\u00f3n de fuera de los l\u00edmites conozca el tama\u00f1o correcto. Esto es an\u00e1logo a __ftrace_trace_stack()."}], "lastModified": "2025-07-29T14:14:29.590", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}