CVE-2025-37816

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37816
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37816.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37816
Downstream
Published
2025-05-08T06:26:12Z
Modified
2025-10-10T09:53:05.628094Z
Summary
mei: vsc: Fix fortify-panic caused by invalid counted_by() use
Details

In the Linux kernel, the following vulnerability has been resolved:

mei: vsc: Fix fortify-panic caused by invalid counted_by() use

gcc 15 honors the _countedby(len) attribute on vsctppacket.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length without the crc. So as soon as vsctpxfer() tries to add the crc to buf[] the fortify-panic handler gets triggered:

[ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/stringhelpers.c:1032 _fortifyreport+0x45/0x50 ... [ 80.843175] _fortifypanic+0x9/0xb [ 80.843186] vsctpxfer.cold+0x67/0x67 [meivschw] [ 80.843210] ? seqcountlockdepreaderaccess.constprop.0+0x82/0x90 [ 80.843229] ? lockdephardirqson+0x7c/0x110 [ 80.843250] meivschwstart+0x98/0x120 [meivsc] [ 80.843270] mei_reset+0x11d/0x420 [mei]

The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsctpxferhelper() which only contains enough room for the packet-header, all other uses of vsctppacket always use a buffer of VSCTPMAXXFER_SIZE bytes for the packet.

Instead of just dropping the counted-by, split the vsctppacket struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
566f5ca9768075e453b7b51a397733968df4287d
Fixed
3e243378f27cc7d11682a3ad720228b0723affa5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
566f5ca9768075e453b7b51a397733968df4287d
Fixed
ac04663c67f244810b3492e9ecd9f7cdbefeca2d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
566f5ca9768075e453b7b51a397733968df4287d
Fixed
00f1cc14da0f06d2897b8c528df7c7dcf1b8da50

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.15-rc1
v6.7
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.12.26
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.14.5