CVE-2025-38592

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv<br /> <br /> Currently both dev_coredumpv and skb_put_data in hci_devcd_dump use<br /> hdev-&gt;dump.head. However, dev_coredumpv can free the buffer. From<br /> dev_coredumpm_timeout documentation, which is used by dev_coredumpv:<br /> <br /> &gt; Creates a new device coredump for the given device. If a previous one hasn&amp;#39;t<br /> &gt; been read yet, the new coredump is discarded. The data lifetime is determined<br /> &gt; by the device coredump framework and when it is no longer needed the @free<br /> &gt; function will be called to free the data.<br /> <br /> If the data has not been read by the userspace yet, dev_coredumpv will<br /> discard new buffer, freeing hdev-&gt;dump.head. This leads to<br /> vmalloc-out-of-bounds error when skb_put_data tries to access<br /> hdev-&gt;dump.head.<br /> <br /> A crash report from syzbot illustrates this:<br /> <br /> ==================================================================<br /> BUG: KASAN: vmalloc-out-of-bounds in skb_put_data<br /> include/linux/skbuff.h:2752 [inline]<br /> BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240<br /> net/bluetooth/coredump.c:258<br /> Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844<br /> <br /> CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted<br /> 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS<br /> Google 02/12/2025<br /> Workqueue: hci0 hci_devcd_timeout<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:408 [inline]<br /> print_report+0xc3/0x670 mm/kasan/report.c:521<br /> kasan_report+0xe0/0x110 mm/kasan/report.c:634<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189<br /> __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105<br /> skb_put_data include/linux/skbuff.h:2752 [inline]<br /> hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258<br /> hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413<br /> process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238<br /> process_scheduled_works kernel/workqueue.c:3319 [inline]<br /> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400<br /> kthread+0x3c2/0x780 kernel/kthread.c:464<br /> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245<br /> <br /> <br /> The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping<br /> Memory state around the buggy address:<br /> ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> &gt;ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ^<br /> ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ==================================================================<br /> <br /> To avoid this issue, reorder dev_coredumpv to be called after<br /> skb_put_data that does not free the data.