CVE-2025-38538

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: nbpfaxi: Fix memory corruption in probe()<br /> <br /> The nbpf-&gt;chan[] array is allocated earlier in the nbpf_probe() function<br /> and it has "num_channels" elements. These three loops iterate one<br /> element farther than they should and corrupt memory.<br /> <br /> The changes to the second loop are more involved. In this case, we&amp;#39;re<br /> copying data from the irqbuf[] array into the nbpf-&gt;chan[] array. If<br /> the data in irqbuf[i] is the error IRQ then we skip it, so the iterators<br /> are not in sync. I added a check to ensure that we don&amp;#39;t go beyond the<br /> end of the irqbuf[] array. I&amp;#39;m pretty sure this can&amp;#39;t happen, but it<br /> seemed harmless to add a check.<br /> <br /> On the other hand, after the loop has ended there is a check to ensure<br /> that the "chan" iterator is where we expect it to be. In the original<br /> code we went one element beyond the end of the array so the iterator<br /> wasn&amp;#39;t in the correct place and it would always return -EINVAL. However,<br /> now it will always be in the correct place. I deleted the check since<br /> we know the result.