CVE-2025-38060
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38060
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38060.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38060
- Downstream
- Related
- Published
- 2025-06-18T09:33:39Z
- Modified
- 2025-10-18T02:14:32.694184Z
- Summary
- bpf: copy_verifier_state() should copy 'loop_entry' field
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: copyverifierstate() should copy 'loop_entry' field
The bpfverifierstate.loopentry state should be copied by copyverifierstate(). Otherwise, .loopentry values from unrelated states would poison env->cur_state.
Additionally, env->stack should not contain any states with .loopentry != NULL. The states in env->stack are yet to be verified, while .loopentry is set for states that reached an equivalent state. This means that env->curstate->loopentry should always be NULL after pop_stack().
See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix.
This change has some verification performance impact for selftests:
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
arenahtab.bpf.o arenahtabllvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arenahtabasm.bpf.o arenahtabasm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arenalist.bpf.o arenalistdel 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o itersubprogcheckstacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o itersubprogiters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loopstatedeps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmemcacheiter.bpf.o opencodediter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifierbitsiter.bpf.o maxwords 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifieriteratingcallbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%)
And significant negative impact for sched_ext:
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
bpf.bpf.o lavdinit 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layereddispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layereddump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layeredenqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dqdispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dqinit 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refreshlayercpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rustyselectcpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scxcentral.bpf.o centraldispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scxnest.bpf.o nestinit 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scxqmap.bpf.o qmapdispatch
---truncated--- - References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2a0992829ea3864939d917a5c7b48be6629c6217Fixed46ba5757a7a4714e7d3f68cfe118208822cb3d78
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2a0992829ea3864939d917a5c7b48be6629c6217Fixed8b4afd89fa75f738a80ca849126fd3cad77bcbf1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2a0992829ea3864939d917a5c7b48be6629c6217Fixedbbbc02b7445ebfda13e4847f4f1413c6480a85a9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedc8f6d285825f61d619c4c2509bfd75eb366db900
Affected versions
v2.*
v3.*
v4.*
v5.*
v6.*
Database specific
vanir_signatures
[
{
"id": "CVE-2025-38060-256f51c9",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bbbc02b7445ebfda13e4847f4f1413c6480a85a9",
"target": {
"file": "kernel/bpf/verifier.c",
"function": "do_check"
},
"deprecated": false,
"digest": {
"length": 7590.0,
"function_hash": "50593330448511116250797811952766030437"
},
"signature_version": "v1"
},
{
"id": "CVE-2025-38060-25f76b64",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46ba5757a7a4714e7d3f68cfe118208822cb3d78",
"target": {
"file": "kernel/bpf/verifier.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"181375409433314140721585729508845279627",
"268202794069095021290364664065067750798",
"100536806505658104574610431078049765086",
"91486993619862497717755996342916066619",
"18167540491397389853476107949924161548",
"194276401463712583194474825661350955376",
"131415828145998441187267523853476735197",
"191256222890194294888558207897276645798"
],
"threshold": 0.9
},
"signature_version": "v1"
},
{
"id": "CVE-2025-38060-28799d90",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b4afd89fa75f738a80ca849126fd3cad77bcbf1",
"target": {
"file": "kernel/bpf/verifier.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"181375409433314140721585729508845279627",
"268202794069095021290364664065067750798",
"100536806505658104574610431078049765086",
"91486993619862497717755996342916066619",
"18167540491397389853476107949924161548",
"194276401463712583194474825661350955376",
"131415828145998441187267523853476735197",
"191256222890194294888558207897276645798"
],
"threshold": 0.9
},
"signature_version": "v1"
},
{
"id": "CVE-2025-38060-377b7375",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46ba5757a7a4714e7d3f68cfe118208822cb3d78",
"target": {
"file": "kernel/bpf/verifier.c",
"function": "do_check"
},
"deprecated": false,
"digest": {
"length": 8143.0,
"function_hash": "330466348640500640210257652461996178334"
},
"signature_version": "v1"
},
{
"id": "CVE-2025-38060-794be292",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b4afd89fa75f738a80ca849126fd3cad77bcbf1",
"target": {
"file": "kernel/bpf/verifier.c",
"function": "do_check"
},
"deprecated": false,
"digest": {
"length": 7590.0,
"function_hash": "50593330448511116250797811952766030437"
},
"signature_version": "v1"
},
{
"id": "CVE-2025-38060-796423bb",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b4afd89fa75f738a80ca849126fd3cad77bcbf1",
"target": {
"file": "kernel/bpf/verifier.c",
"function": "copy_verifier_state"
},
"deprecated": false,
"digest": {
"length": 1240.0,
"function_hash": "157294326246825374786599951151370219760"
},
"signature_version": "v1"
},
{
"id": "CVE-2025-38060-892e76ea",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bbbc02b7445ebfda13e4847f4f1413c6480a85a9",
"target": {
"file": "kernel/bpf/verifier.c",
"function": "copy_verifier_state"
},
"deprecated": false,
"digest": {
"length": 1240.0,
"function_hash": "157294326246825374786599951151370219760"
},
"signature_version": "v1"
},
{
"id": "CVE-2025-38060-f03505ff",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bbbc02b7445ebfda13e4847f4f1413c6480a85a9",
"target": {
"file": "kernel/bpf/verifier.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"181375409433314140721585729508845279627",
"268202794069095021290364664065067750798",
"100536806505658104574610431078049765086",
"91486993619862497717755996342916066619",
"18167540491397389853476107949924161548",
"194276401463712583194474825661350955376",
"131415828145998441187267523853476735197",
"191256222890194294888558207897276645798"
],
"threshold": 0.9
},
"signature_version": "v1"
},
{
"id": "CVE-2025-38060-fa34d169",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46ba5757a7a4714e7d3f68cfe118208822cb3d78",
"target": {
"file": "kernel/bpf/verifier.c",
"function": "copy_verifier_state"
},
"deprecated": false,
"digest": {
"length": 1565.0,
"function_hash": "171085198739373117177832236556915657617"
},
"signature_version": "v1"
}
]