CVE-2025-38090

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers/rapidio/rio_cm.c: prevent possible heap overwrite<br /> <br /> In<br /> <br /> riocm_cdev_ioctl(RIO_CM_CHAN_SEND)<br /> -&gt; cm_chan_msg_send()<br /> -&gt; riocm_ch_send()<br /> <br /> cm_chan_msg_send() checks that userspace didn&amp;#39;t send too much data but<br /> riocm_ch_send() failed to check that userspace sent sufficient data. The<br /> result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr<br /> which were outside the bounds of the space which cm_chan_msg_send()<br /> allocated.<br /> <br /> Address this by teaching riocm_ch_send() to check that the entire<br /> rio_ch_chan_hdr was copied in from userspace.