CVE-2025-38060
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38060
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38060.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38060
- Downstream
- Related
- Published
- 2025-06-18T09:33:39.610Z
- Modified
- 2025-11-28T02:34:17.382083Z
- Summary
- bpf: copy_verifier_state() should copy 'loop_entry' field
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: copyverifierstate() should copy 'loop_entry' field
The bpfverifierstate.loopentry state should be copied by copyverifierstate(). Otherwise, .loopentry values from unrelated states would poison env->cur_state.
Additionally, env->stack should not contain any states with .loopentry != NULL. The states in env->stack are yet to be verified, while .loopentry is set for states that reached an equivalent state. This means that env->curstate->loopentry should always be NULL after pop_stack().
See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix.
This change has some verification performance impact for selftests:
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
arenahtab.bpf.o arenahtabllvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arenahtabasm.bpf.o arenahtabasm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arenalist.bpf.o arenalistdel 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o itersubprogcheckstacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o itersubprogiters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loopstatedeps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmemcacheiter.bpf.o opencodediter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifierbitsiter.bpf.o maxwords 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifieriteratingcallbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%)
And significant negative impact for sched_ext:
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
bpf.bpf.o lavdinit 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layereddispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layereddump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layeredenqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dqdispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dqinit 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refreshlayercpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rustyselectcpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scxcentral.bpf.o centraldispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scxnest.bpf.o nestinit 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scxqmap.bpf.o qmapdispatch
---truncated--- - Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38060.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/46ba5757a7a4714e7d3f68cfe118208822cb3d78
- https://git.kernel.org/stable/c/8b4afd89fa75f738a80ca849126fd3cad77bcbf1
- https://git.kernel.org/stable/c/bbbc02b7445ebfda13e4847f4f1413c6480a85a9
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38060.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-38060
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2a0992829ea3864939d917a5c7b48be6629c6217Fixed46ba5757a7a4714e7d3f68cfe118208822cb3d78Fixed8b4afd89fa75f738a80ca849126fd3cad77bcbf1Fixedbbbc02b7445ebfda13e4847f4f1413c6480a85a9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedc8f6d285825f61d619c4c2509bfd75eb366db900