Fixed
Created: Jul 28, 2025
Updated: Aug 28, 2025
Resolved Date: Aug 28, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]md/raid1: Fix stack memory use after return in raid1_reshape[EOL][EOL]In the raid1_reshape function, newpool is[EOL]allocated on the stack and assigned to conf->r1bio_pool.[EOL]This results in conf->r1bio_pool.wait.head pointing[EOL]to a stack address.[EOL]Accessing this address later can lead to a kernel panic.[EOL][EOL]Example access path:[EOL][EOL]raid1_reshape()[EOL]{[EOL]\t// newpool is on the stack[EOL]\tmempool_t newpool, oldpool;[EOL]\t// initialize newpool.wait.head to stack address[EOL]\tmempool_init(&newpool, ...);[EOL]\tconf->r1bio_pool = newpool;[EOL]}[EOL][EOL]raid1_read_request() or raid1_write_request()[EOL]{[EOL]\talloc_r1bio()[EOL]\t{[EOL]\t\tmempool_alloc()[EOL]\t\t{[EOL]\t\t\t// if pool->alloc fails[EOL]\t\t\tremove_element()[EOL]\t\t\t{[EOL]\t\t\t\t--pool->curr_nr;[EOL]\t\t\t}[EOL]\t\t}[EOL]\t}[EOL]}[EOL][EOL]mempool_free()[EOL]{[EOL]\tif (pool->curr_nr < pool->min_nr) {[EOL]\t\t// pool->wait.head is a stack address[EOL]\t\t// wake_up() will try to access this invalid address[EOL]\t\t// which leads to a kernel panic[EOL]\t\treturn;[EOL]\t\twake_up(&pool->wait);[EOL]\t}[EOL]}[EOL][EOL]Fix:[EOL]reinit conf->r1bio_pool.wait after assigning newpool.
CREATE(Triage):(User=admin) [CVE-2025-38445 (https://nvd.nist.gov/vuln/detail/CVE-2025-38445)
