CVE-2025-38493

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing/osnoise: Fix crash in timerlat_dump_stack()<br /> <br /> We have observed kernel panics when using timerlat with stack saving,<br /> with the following dmesg output:<br /> <br /> memcpy: detected buffer overflow: 88 byte write of buffer size 0<br /> WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0<br /> CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)<br /> Call Trace:<br /> <br /> ? trace_buffer_lock_reserve+0x2a/0x60<br /> __fortify_panic+0xd/0xf<br /> __timerlat_dump_stack.cold+0xd/0xd<br /> timerlat_dump_stack.part.0+0x47/0x80<br /> timerlat_fd_read+0x36d/0x390<br /> vfs_read+0xe2/0x390<br /> ? syscall_exit_to_user_mode+0x1d5/0x210<br /> ksys_read+0x73/0xe0<br /> do_syscall_64+0x7b/0x160<br /> ? exc_page_fault+0x7e/0x1a0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> __timerlat_dump_stack() constructs the ftrace stack entry like this:<br /> <br /> struct stack_entry *entry;<br /> ...<br /> memcpy(&amp;entry-&gt;caller, fstack-&gt;calls, size);<br /> entry-&gt;size = fstack-&gt;nr_entries;<br /> <br /> Since commit e7186af7fb26 ("tracing: Add back FORTIFY_SOURCE logic to<br /> kernel_stack event structure"), struct stack_entry marks its caller<br /> field with __counted_by(size). At the time of the memcpy, entry-&gt;size<br /> contains garbage from the ringbuffer, which under some circumstances is<br /> zero, triggering a kernel panic by buffer overflow.<br /> <br /> Populate the size field before the memcpy so that the out-of-bounds<br /> check knows the correct size. This is analogous to<br /> __ftrace_trace_stack().