CVE-2025-38196
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38196
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38196.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38196
- Downstream
- Published
- 2025-07-04T13:37:19Z
- Modified
- 2025-10-18T02:46:10.054337Z
- Summary
- io_uring/rsrc: validate buffer count with offset for cloning
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rsrc: validate buffer count with offset for cloning
syzbot reports that it can trigger a WARN_ON() for kmalloc() attempt that's too big:
WARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 _kvmallocnodenoprof+0x520/0x640 mm/slub.c:5024 Modules linked in: CPU: 0 UID: 0 PID: 6488 Comm: syz-executor312 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : _kvmallocnodenoprof+0x520/0x640 mm/slub.c:5024 lr : _dokmallocnode mm/slub.c:-1 [inline] lr : _kvmallocnodenoprof+0x3b4/0x640 mm/slub.c:5012 sp : ffff80009cfd7a90 x29: ffff80009cfd7ac0 x28: ffff0000dd52a120 x27: 0000000000412dc0 x26: 0000000000000178 x25: ffff7000139faf70 x24: 0000000000000000 x23: ffff800082f4cea8 x22: 00000000ffffffff x21: 000000010cd004a8 x20: ffff0000d75816c0 x19: ffff0000dd52a000 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008adbe9e4 x15: 0000000000000005 x14: 1ffff000139faf1c x13: 0000000000000000 x12: 0000000000000000 x11: ffff7000139faf21 x10: 0000000000000003 x9 : ffff80008f27b938 x8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 00000000ffffffff x4 : 0000000000400dc0 x3 : 0000000200000000 x2 : 000000010cd004a8 x1 : ffff80008b3ebc40 x0 : 0000000000000001 Call trace: _kvmallocnodenoprof+0x520/0x640 mm/slub.c:5024 (P) kvmallocarraynodenoprof include/linux/slab.h:1065 [inline] iorsrcdataalloc iouring/rsrc.c:206 [inline] ioclonebuffers iouring/rsrc.c:1178 [inline] ioregisterclonebuffers+0x484/0xa14 iouring/rsrc.c:1287 _iouringregister iouring/register.c:815 [inline] _dosysiouringregister iouring/register.c:926 [inline] _sesysiouringregister iouring/register.c:903 [inline] _arm64sysiouringregister+0x42c/0xea8 iouring/register.c:903 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t64synchandler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t64sync+0x198/0x19c arch/arm64/kernel/entry.S:600
which is due to offset + buffercount being too large. The registration code checks only the total count of buffers, but given that the indexing is an array, it should also check offset + count. That can't exceed IORINGMAXREGBUFFERS either, as there's no way to reach buffers beyond that limit.
There's no issue with registrering a table this large, outside of the fact that it's pointless to register buffers that cannot be reached, and that it can trigger this kmalloc() warning for attempting an allocation that is too large.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb16e920a1909da6799c43000db730d8fcdcae907Fixed0e23ac818f3afb16660b0ba384875d56a7013879
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb16e920a1909da6799c43000db730d8fcdcae907Fixed1d27f11bf02b38c431e49a17dee5c10a2b4c2e28
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"digest": {
"line_hashes": [
"36962132757693434145910871077816133782",
"120714947232188466409866645969160016619",
"15289727156613071899177723000974480765",
"287826016176658106806015662251489224447"
],
"threshold": 0.9
},
"target": {
"file": "io_uring/rsrc.c"
},
"signature_type": "Line",
"id": "CVE-2025-38196-4daaa88e",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e23ac818f3afb16660b0ba384875d56a7013879"
},
{
"digest": {
"line_hashes": [
"36962132757693434145910871077816133782",
"120714947232188466409866645969160016619",
"15289727156613071899177723000974480765",
"287826016176658106806015662251489224447"
],
"threshold": 0.9
},
"target": {
"file": "io_uring/rsrc.c"
},
"signature_type": "Line",
"id": "CVE-2025-38196-57f5a4f9",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d27f11bf02b38c431e49a17dee5c10a2b4c2e28"
},
{
"digest": {
"length": 2019.0,
"function_hash": "148440754945569563171334574406680244793"
},
"target": {
"file": "io_uring/rsrc.c",
"function": "io_clone_buffers"
},
"signature_type": "Function",
"id": "CVE-2025-38196-af935739",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d27f11bf02b38c431e49a17dee5c10a2b4c2e28"
},
{
"digest": {
"length": 2019.0,
"function_hash": "148440754945569563171334574406680244793"
},
"target": {
"file": "io_uring/rsrc.c",
"function": "io_clone_buffers"
},
"signature_type": "Function",
"id": "CVE-2025-38196-be0312b0",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e23ac818f3afb16660b0ba384875d56a7013879"
}
]