CVE-2025-38060

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38060
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38060.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38060
Downstream
Related
Published
2025-06-18T10:15:38Z
Modified
2025-09-03T17:00:22Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: copyverifierstate() should copy 'loop_entry' field

The bpfverifierstate.loopentry state should be copied by copyverifierstate(). Otherwise, .loopentry values from unrelated states would poison env->cur_state.

Additionally, env->stack should not contain any states with .loopentry != NULL. The states in env->stack are yet to be verified, while .loopentry is set for states that reached an equivalent state. This means that env->curstate->loopentry should always be NULL after pop_stack().

See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix.

This change has some verification performance impact for selftests:

File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)


arenahtab.bpf.o arenahtabllvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arenahtabasm.bpf.o arenahtabasm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arenalist.bpf.o arenalistdel 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o itersubprogcheckstacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o itersubprogiters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loopstatedeps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmemcacheiter.bpf.o opencodediter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifierbitsiter.bpf.o maxwords 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifieriteratingcallbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%)

And significant negative impact for sched_ext:

File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)


bpf.bpf.o lavdinit 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layereddispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layereddump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layeredenqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dqdispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dqinit 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refreshlayercpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rustyselectcpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scxcentral.bpf.o centraldispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scxnest.bpf.o nestinit 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scxqmap.bpf.o qmapdispatch
---truncated---

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.32-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.32-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}