Acknowledged
Created: Aug 17, 2025
Updated: Aug 19, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]dmaengine: nbpfaxi: Fix memory corruption in probe()[EOL][EOL]The nbpf->chan[] array is allocated earlier in the nbpf_probe() function[EOL]and it has "num_channels" elements. These three loops iterate one[EOL]element farther than they should and corrupt memory.[EOL][EOL]The changes to the second loop are more involved. In this case, we're[EOL]copying data from the irqbuf[] array into the nbpf->chan[] array. If[EOL]the data in irqbuf[i] is the error IRQ then we skip it, so the iterators[EOL]are not in sync. I added a check to ensure that we don't go beyond the[EOL]end of the irqbuf[] array. I'm pretty sure this can't happen, but it[EOL]seemed harmless to add a check.[EOL][EOL]On the other hand, after the loop has ended there is a check to ensure[EOL]that the "chan" iterator is where we expect it to be. In the original[EOL]code we went one element beyond the end of the array so the iterator[EOL]wasn't in the correct place and it would always return -EINVAL. However,[EOL]now it will always be in the correct place. I deleted the check since[EOL]we know the result.
CREATE(Triage):(User=pbi-cn) [CVE-2025-38538 (https://nvd.nist.gov/vuln/detail/CVE-2025-38538)
