CVE-2025-38433

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: fix runtime constant support for nommu kernels<br /> <br /> the `__runtime_fixup_32` function does not handle the case where `val` is<br /> zero correctly (as might occur when patching a nommu kernel and referring<br /> to a physical address below the 4GiB boundary whose upper 32 bits are all<br /> zero) because nothing in the existing logic prevents the code from taking<br /> the `else` branch of both nop-checks and emitting two `nop` instructions.<br /> <br /> This leaves random garbage in the register that is supposed to receive the<br /> upper 32 bits of the pointer instead of zero that when combined with the<br /> value for the lower 32 bits yields an invalid pointer and causes a kernel<br /> panic when that pointer is eventually accessed.<br /> <br /> The author clearly considered the fact that if the `lui` is converted into<br /> a `nop` that the second instruction needs to be adjusted to become an `li`<br /> instead of an `addi`, hence introducing the `addi_insn_mask` variable, but<br /> didn&amp;#39;t follow that logic through fully to the case where the `else` branch<br /> executes. To fix it just adjust the logic to ensure that the second `else`<br /> branch is not taken if the first instruction will be patched to a `nop`.