CVE-2025-38493
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38493
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38493.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38493
- Downstream
- Related
- Published
- 2025-07-28T11:22:02Z
- Modified
- 2025-10-18T04:29:32.399314Z
- Summary
- tracing/osnoise: Fix crash in timerlat_dump_stack()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tracing/osnoise: Fix crash in timerlatdumpstack()
We have observed kernel panics when using timerlat with stack saving, with the following dmesg output:
memcpy: detected buffer overflow: 88 byte write of buffer size 0 WARNING: CPU: 2 PID: 8153 at lib/stringhelpers.c:1032 _fortifyreport+0x55/0xa0 CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x8664 #1 PREEMPT(lazy) Call Trace: <TASK> ? tracebufferlockreserve+0x2a/0x60 _fortifypanic+0xd/0xf _timerlatdumpstack.cold+0xd/0xd timerlatdumpstack.part.0+0x47/0x80 timerlatfdread+0x36d/0x390 vfsread+0xe2/0x390 ? syscallexittousermode+0x1d5/0x210 ksysread+0x73/0xe0 dosyscall64+0x7b/0x160 ? excpagefault+0x7e/0x1a0 entrySYSCALL64afterhwframe+0x76/0x7e
_timerlatdump_stack() constructs the ftrace stack entry like this:
struct stackentry *entry; ... memcpy(&entry->caller, fstack->calls, size); entry->size = fstack->nrentries;
Since commit e7186af7fb26 ("tracing: Add back FORTIFYSOURCE logic to kernelstack event structure"), struct stackentry marks its caller field with _counted_by(size). At the time of the memcpy, entry->size contains garbage from the ringbuffer, which under some circumstances is zero, triggering a kernel panic by buffer overflow.
Populate the size field before the memcpy so that the out-of-bounds check knows the correct size. This is analogous to _ftracetrace_stack().
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/7bb9ea515cda027c9e717e27fefcf34f092e7c41
- https://git.kernel.org/stable/c/823d798900481875ba6c68217af028c5ffd2976b
- https://git.kernel.org/stable/c/85a3bce695b361d85fc528e6fbb33e4c8089c806
- https://git.kernel.org/stable/c/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede7186af7fb2609584a8bfb3da3c6ae09da5a5224Fixed823d798900481875ba6c68217af028c5ffd2976b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede7186af7fb2609584a8bfb3da3c6ae09da5a5224Fixed7bb9ea515cda027c9e717e27fefcf34f092e7c41
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede7186af7fb2609584a8bfb3da3c6ae09da5a5224Fixedfbf90f5aa7ac7cddc69148a71d58f12c8709ce2b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede7186af7fb2609584a8bfb3da3c6ae09da5a5224Fixed85a3bce695b361d85fc528e6fbb33e4c8089c806
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
v6.15.5
v6.15.6
v6.15.7
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.5
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"id": "CVE-2025-38493-1824a3c0",
"digest": {
"line_hashes": [
"91935373154598794274811423262407300997",
"303500249802711309785630198538231569056",
"199419567778677250648237465081066554906",
"56085924062899135476115307877103857359",
"329039899177092995885677060574769784183"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bb9ea515cda027c9e717e27fefcf34f092e7c41",
"target": {
"file": "kernel/trace/trace_osnoise.c"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-38493-299c17de",
"digest": {
"length": 438.0,
"function_hash": "256752183395134334620662255783375616039"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bb9ea515cda027c9e717e27fefcf34f092e7c41",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "__timerlat_dump_stack"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2025-38493-6f49dbee",
"digest": {
"length": 360.0,
"function_hash": "297787803733172043002585244700796723843"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@85a3bce695b361d85fc528e6fbb33e4c8089c806",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "__timerlat_dump_stack"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2025-38493-79415d3b",
"digest": {
"line_hashes": [
"91935373154598794274811423262407300997",
"303500249802711309785630198538231569056",
"216126757526545438214351560959922501257",
"20958200706865357589850952227195662044",
"44978438300075468593046086882318052239"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b",
"target": {
"file": "kernel/trace/trace_osnoise.c"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-38493-821f7d31",
"digest": {
"length": 438.0,
"function_hash": "256752183395134334620662255783375616039"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@823d798900481875ba6c68217af028c5ffd2976b",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "__timerlat_dump_stack"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2025-38493-a31e9d02",
"digest": {
"line_hashes": [
"91935373154598794274811423262407300997",
"303500249802711309785630198538231569056",
"199419567778677250648237465081066554906",
"56085924062899135476115307877103857359",
"329039899177092995885677060574769784183"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@823d798900481875ba6c68217af028c5ffd2976b",
"target": {
"file": "kernel/trace/trace_osnoise.c"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-38493-ac19d1d4",
"digest": {
"length": 360.0,
"function_hash": "297787803733172043002585244700796723843"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "__timerlat_dump_stack"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2025-38493-fe8dd346",
"digest": {
"line_hashes": [
"91935373154598794274811423262407300997",
"303500249802711309785630198538231569056",
"216126757526545438214351560959922501257",
"20958200706865357589850952227195662044",
"44978438300075468593046086882318052239"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@85a3bce695b361d85fc528e6fbb33e4c8089c806",
"target": {
"file": "kernel/trace/trace_osnoise.c"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
}
]