Wind River Support Network

HomeDefectsLIN1022-16133
Acknowledged

LIN1022-16133 : Security Advisory - linux - CVE-2025-38023

Created: Jun 19, 2025    Updated: Jun 20, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]nfs: handle failure of nfs_get_lock_context in unlock path[EOL][EOL]When memory is insufficient, the allocation of nfs_lock_context in[EOL]nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat[EOL]an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM)[EOL]as valid and proceed to execute rpc_run_task(), this will trigger a NULL[EOL]pointer dereference in nfs4_locku_prepare. For example:[EOL][EOL]BUG: kernel NULL pointer dereference, address: 000000000000000c[EOL]PGD 0 P4D 0[EOL]Oops: Oops: 0000 [#1] SMP PTI[EOL]CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40[EOL]Workqueue: rpciod rpc_async_schedule[EOL]RIP: 0010:nfs4_locku_prepare+0x35/0xc2[EOL]Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3[EOL]RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246[EOL]RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000[EOL]RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40[EOL]RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38[EOL]R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030[EOL]R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30[EOL]FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000[EOL]CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0[EOL]Call Trace:[EOL] <TASK>[EOL] __rpc_execute+0xbc/0x480[EOL] rpc_async_schedule+0x2f/0x40[EOL] process_one_work+0x232/0x5d0[EOL] worker_thread+0x1da/0x3d0[EOL] ? __pfx_worker_thread+0x10/0x10[EOL] kthread+0x10d/0x240[EOL] ? __pfx_kthread+0x10/0x10[EOL] ret_from_fork+0x34/0x50[EOL] ? __pfx_kthread+0x10/0x10[EOL] ret_from_fork_asm+0x1a/0x30[EOL] </TASK>[EOL]Modules linked in:[EOL]CR2: 000000000000000c[EOL]---[ end trace 0000000000000000 ]---[EOL][EOL]Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and[EOL]return NULL to terminate subsequent rpc_run_task, preventing NULL pointer[EOL]dereference.

CREATE(Triage):(User=lchen-cn) [CVE-2025-38023 (https://nvd.nist.gov/vuln/detail/CVE-2025-38023)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube