Acknowledged
Created: Jul 7, 2025
Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]vgacon: Add check for vc_origin address range in vgacon_scroll()[EOL][EOL]Our in-house Syzkaller reported the following BUG (twice), which we[EOL]believed was the same issue with [1]:[EOL][EOL]==================================================================[EOL]BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740[EOL]Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393[EOL]...[EOL]Call Trace:[EOL] <TASK>[EOL] __dump_stack lib/dump_stack.c:88 [inline][EOL] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106[EOL] print_address_description.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364[EOL] print_report+0xba/0x280 mm/kasan/report.c:475[EOL] kasan_report+0xa9/0xe0 mm/kasan/report.c:588[EOL] vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740[EOL] vcs_write_buf_noattr drivers/tty/vt/vc_screen.c:493 [inline][EOL] vcs_write+0x586/0x840 drivers/tty/vt/vc_screen.c:690[EOL] vfs_write+0x219/0x960 fs/read_write.c:584[EOL] ksys_write+0x12e/0x260 fs/read_write.c:639[EOL] do_syscall_x64 arch/x86/entry/common.c:51 [inline][EOL] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81[EOL] entry_SYSCALL_64_after_hwframe+0x78/0xe2[EOL] ...[EOL] </TASK>[EOL][EOL]Allocated by task 5614:[EOL] kasan_save_stack+0x20/0x40 mm/kasan/common.c:45[EOL] kasan_set_track+0x25/0x30 mm/kasan/common.c:52[EOL] ____kasan_kmalloc mm/kasan/common.c:374 [inline][EOL] __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383[EOL] kasan_kmalloc include/linux/kasan.h:201 [inline][EOL] __do_kmalloc_node mm/slab_common.c:1007 [inline][EOL] __kmalloc+0x62/0x140 mm/slab_common.c:1020[EOL] kmalloc include/linux/slab.h:604 [inline][EOL] kzalloc include/linux/slab.h:721 [inline][EOL] vc_do_resize+0x235/0xf40 drivers/tty/vt/vt.c:1193[EOL] vgacon_adjust_height+0x2d4/0x350 drivers/video/console/vgacon.c:1007[EOL] vgacon_font_set+0x1f7/0x240 drivers/video/console/vgacon.c:1031[EOL] con_font_set drivers/tty/vt/vt.c:4628 [inline][EOL] con_font_op+0x4da/0xa20 drivers/tty/vt/vt.c:4675[EOL] vt_k_ioctl+0xa10/0xb30 drivers/tty/vt/vt_ioctl.c:474[EOL] vt_ioctl+0x14c/0x1870 drivers/tty/vt/vt_ioctl.c:752[EOL] tty_ioctl+0x655/0x1510 drivers/tty/tty_io.c:2779[EOL] vfs_ioctl fs/ioctl.c:51 [inline][EOL] __do_sys_ioctl fs/ioctl.c:871 [inline][EOL] __se_sys_ioctl+0x12d/0x190 fs/ioctl.c:857[EOL] do_syscall_x64 arch/x86/entry/common.c:51 [inline][EOL] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81[EOL] entry_SYSCALL_64_after_hwframe+0x78/0xe2[EOL][EOL]Last potentially related work creation:[EOL] kasan_save_stack+0x20/0x40 mm/kasan/common.c:45[EOL] __kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492[EOL] __call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713[EOL] netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802[EOL] __sock_release+0xb5/0x270 net/socket.c:663[EOL] sock_close+0x1e/0x30 net/socket.c:1425[EOL] __fput+0x408/0xab0 fs/file_table.c:384[EOL] __fput_sync+0x4c/0x60 fs/file_table.c:465[EOL] __do_sys_close fs/open.c:1580 [inline][EOL] __se_sys_close+0x68/0xd0 fs/open.c:1565[EOL] do_syscall_x64 arch/x86/entry/common.c:51 [inline][EOL] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81[EOL] entry_SYSCALL_64_after_hwframe+0x78/0xe2[EOL][EOL]Second to last potentially related work creation:[EOL] kasan_save_stack+0x20/0x40 mm/kasan/common.c:45[EOL] __kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492[EOL] __call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713[EOL] netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802[EOL] __sock_release+0xb5/0x270 net/socket.c:663[EOL] sock_close+0x1e/0x30 net/socket.c:1425[EOL] __fput+0x408/0xab0 fs/file_table.c:384[EOL] task_work_run+0x154/0x240 kernel/task_work.c:239[EOL] exit_task_work include/linux/task_work.h:45 [inline][EOL] do_exit+0x8e5/0x1320 kernel/exit.c:874[EOL] do_group_exit+0xcd/0x280 kernel/exit.c:1023[EOL] get_signal+0x1675/0x1850 kernel/signal.c:2905[EOL] arch_do_signal_or_restart+0x80/0x3b0 arch/x86/kernel/signal.c:310[EOL] exit_to_user_mode_loop kernel/entry/common.c:111 [inline][EOL] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline][EOL] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline][EOL] syscall_exit_to_user_mode+0x1b3/0x1e0 kernel/entry/common.c:218[EOL] do_syscall_64+0x66/0x110 arch/x86/ent[EOL]---truncated---
CREATE(Triage):(User=admin) [CVE-2025-38213 (https://nvd.nist.gov/vuln/detail/CVE-2025-38213)
