CVE-2025-38344

In the Linux kernel, the following vulnerability has been resolved:

ACPICA: fix acpi parse and parseext cache leaks

ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5

I'm Seunghun Han, and I work for National Security Research Institute of South Korea.

I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort cases.

Boot log of ACPI cache leak is as follows: [ 0.352414] ACPI: Added OSI(Module Device) [ 0.353182] ACPI: Added _OSI(Processor Device) [ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) [ 0.356028] ACPI: Unable to start the ACPI Interpreter [ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.360215] kmemcachedestroy Acpi-State: Slab cache still has objects [ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #10 [ 0.361273] Hardware name: innotek gmbh virtualbox/virtualbox, BIOS virtualbox 12/01/2006 [ 0.361873] Call Trace: [ 0.362243] ? dumpstack+0x5c/0x81 [ 0.362591] ? kmemcachedestroy+0x1aa/0x1c0 [ 0.362944] ? acpisleepprocinit+0x27/0x27 [ 0.363296] ? acpiosdeletecache+0xa/0x10 [ 0.363646] ? acpiutdeletecaches+0x6d/0x7b [ 0.364000] ? acpiterminate+0xa/0x14 [ 0.364000] ? acpiinit+0x2af/0x34f [ 0.364000] ? _classcreate+0x4c/0x80 [ 0.364000] ? videosetup+0x7f/0x7f [ 0.364000] ? acpisleepprocinit+0x27/0x27 [ 0.364000] ? dooneinitcall+0x4e/0x1a0 [ 0.364000] ? kernelinitfreeable+0x189/0x20a [ 0.364000] ? restinit+0xc0/0xc0 [ 0.364000] ? kernelinit+0xa/0x100 [ 0.364000] ? retfrom_fork+0x25/0x30

I analyzed this memory leak in detail. I found that “Acpi-State” cache and “Acpi-Parse” cache were merged because the size of cache objects was same slab cache size.

I finally found “Acpi-Parse” cache and “Acpi-parseext” cache were leaked using SLABNEVERMERGE flag in kmemcache_create() function.

Real ACPI cache leak point is as follows: [ 0.360101] ACPI: Added OSI(Module Device) [ 0.360101] ACPI: Added _OSI(Processor Device) [ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) [ 0.364016] ACPI: Unable to start the ACPI Interpreter [ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.368174] kmemcachedestroy Acpi-Parse: Slab cache still has objects [ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.371256] Hardware name: innotek gmbh virtualbox/virtualbox, BIOS virtualbox 12/01/2006 [ 0.372000] Call Trace: [ 0.372000] ? dumpstack+0x5c/0x81 [ 0.372000] ? kmemcachedestroy+0x1aa/0x1c0 [ 0.372000] ? acpisleepprocinit+0x27/0x27 [ 0.372000] ? acpiosdeletecache+0xa/0x10 [ 0.372000] ? acpiutdeletecaches+0x56/0x7b [ 0.372000] ? acpiterminate+0xa/0x14 [ 0.372000] ? acpiinit+0x2af/0x34f [ 0.372000] ? _classcreate+0x4c/0x80 [ 0.372000] ? videosetup+0x7f/0x7f [ 0.372000] ? acpisleepprocinit+0x27/0x27 [ 0.372000] ? dooneinitcall+0x4e/0x1a0 [ 0.372000] ? kernelinitfreeable+0x189/0x20a [ 0.372000] ? restinit+0xc0/0xc0 [ 0.372000] ? kernelinit+0xa/0x100 [ 0.372000] ? retfromfork+0x25/0x30 [ 0.388039] kmemcachedestroy Acpi-parseext: Slab cache still has objects [ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.390557] Hardware name: innotek gmbh virtualbox/virtualbox, BIOS virtualbox 12/01/2006 [ 0.392000] Call Trace: [ 0.392000] ? dumpstack+0x5c/0x81 [ 0.392000] ? kmemcachedestroy+0x1aa/0x1c0 [ 0.392000] ? acpisleepprocinit+0x27/0x27 [ 0.392000] ? acpiosdeletecache+0xa/0x10 [ 0.392000] ? acpiutdeletecaches+0x6d/0x7b [ 0.392000] ? acpiterminate+0xa/0x14 [ 0.392000] ? acpiinit+0x2af/0x3 ---truncated---