CVE-2025-38213
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/07/2025
Last modified:
08/07/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
vgacon: Add check for vc_origin address range in vgacon_scroll()<br />
<br />
Our in-house Syzkaller reported the following BUG (twice), which we<br />
believed was the same issue with [1]:<br />
<br />
==================================================================<br />
BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740<br />
Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393<br />
...<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106<br />
print_address_description.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364<br />
print_report+0xba/0x280 mm/kasan/report.c:475<br />
kasan_report+0xa9/0xe0 mm/kasan/report.c:588<br />
vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740<br />
vcs_write_buf_noattr drivers/tty/vt/vc_screen.c:493 [inline]<br />
vcs_write+0x586/0x840 drivers/tty/vt/vc_screen.c:690<br />
vfs_write+0x219/0x960 fs/read_write.c:584<br />
ksys_write+0x12e/0x260 fs/read_write.c:639<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81<br />
entry_SYSCALL_64_after_hwframe+0x78/0xe2<br />
...<br />
<br />
<br />
Allocated by task 5614:<br />
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45<br />
kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br />
____kasan_kmalloc mm/kasan/common.c:374 [inline]<br />
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383<br />
kasan_kmalloc include/linux/kasan.h:201 [inline]<br />
__do_kmalloc_node mm/slab_common.c:1007 [inline]<br />
__kmalloc+0x62/0x140 mm/slab_common.c:1020<br />
kmalloc include/linux/slab.h:604 [inline]<br />
kzalloc include/linux/slab.h:721 [inline]<br />
vc_do_resize+0x235/0xf40 drivers/tty/vt/vt.c:1193<br />
vgacon_adjust_height+0x2d4/0x350 drivers/video/console/vgacon.c:1007<br />
vgacon_font_set+0x1f7/0x240 drivers/video/console/vgacon.c:1031<br />
con_font_set drivers/tty/vt/vt.c:4628 [inline]<br />
con_font_op+0x4da/0xa20 drivers/tty/vt/vt.c:4675<br />
vt_k_ioctl+0xa10/0xb30 drivers/tty/vt/vt_ioctl.c:474<br />
vt_ioctl+0x14c/0x1870 drivers/tty/vt/vt_ioctl.c:752<br />
tty_ioctl+0x655/0x1510 drivers/tty/tty_io.c:2779<br />
vfs_ioctl fs/ioctl.c:51 [inline]<br />
__do_sys_ioctl fs/ioctl.c:871 [inline]<br />
__se_sys_ioctl+0x12d/0x190 fs/ioctl.c:857<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81<br />
entry_SYSCALL_64_after_hwframe+0x78/0xe2<br />
<br />
Last potentially related work creation:<br />
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45<br />
__kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492<br />
__call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713<br />
netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802<br />
__sock_release+0xb5/0x270 net/socket.c:663<br />
sock_close+0x1e/0x30 net/socket.c:1425<br />
__fput+0x408/0xab0 fs/file_table.c:384<br />
__fput_sync+0x4c/0x60 fs/file_table.c:465<br />
__do_sys_close fs/open.c:1580 [inline]<br />
__se_sys_close+0x68/0xd0 fs/open.c:1565<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81<br />
entry_SYSCALL_64_after_hwframe+0x78/0xe2<br />
<br />
Second to last potentially related work creation:<br />
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45<br />
__kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492<br />
__call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713<br />
netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802<br />
__sock_release+0xb5/0x270 net/socket.c:663<br />
sock_close+0x1e/0x30 net/socket.c:1425<br />
__fput+0x408/0xab0 fs/file_table.c:384<br />
task_work_run+0x154/0x240 kernel/task_work.c:239<br />
exit_task_work include/linux/task_work.h:45 [inline]<br />
do_exit+0x8e5/0x1320 kernel/exit.c:874<br />
do_group_exit+0xcd/0x280 kernel/exit.c:1023<br />
get_signal+0x1675/0x1850 kernel/signal.c:2905<br />
arch_do_signal_or_restart+0x80/0x3b0 arch/x86/kernel/signal.c:310<br />
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]<br />
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]<br />
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]<br />
syscall_exit_to_user_mode+0x1b3/0x1e0 kernel/entry/common.c:218<br />
do_syscall_64+0x66/0x110 arch/x86/ent<br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2f4040a5855a59e48296f1b5a7cc0fceea3195b1
- https://git.kernel.org/stable/c/499b77fa1416a85fee106e60b240e912bca10cb8
- https://git.kernel.org/stable/c/843de5fbfe277e30fb333a7fa033b684c37829ac
- https://git.kernel.org/stable/c/864f9963ec6b4b76d104d595ba28110b87158003
- https://git.kernel.org/stable/c/9928ba7de39793a1c7c77b8b9e6ecf6209110311
- https://git.kernel.org/stable/c/bf9c07864765864b968e59c7b72db91130d621ca
- https://git.kernel.org/stable/c/e44532b1c358bfd2c4c7dc28fd01d47fef09ac70
- https://git.kernel.org/stable/c/f20fd54af4e1077fdbca4dd98375a4d1d941e50d