CVE-2025-38445

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38445
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38445.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38445
Downstream
Related
Published
2025-07-25T16:15:29Z
Modified
2025-08-30T18:01:35Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

md/raid1: Fix stack memory use after return in raid1_reshape

In the raid1reshape function, newpool is allocated on the stack and assigned to conf->r1biopool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic.

Example access path:

raid1reshape() { // newpool is on the stack mempoolt newpool, oldpool; // initialize newpool.wait.head to stack address mempoolinit(&newpool, ...); conf->r1biopool = newpool; }

raid1readrequest() or raid1writerequest() { allocr1bio() { mempoolalloc() { // if pool->alloc fails removeelement() { --pool->currnr; } } } }

mempoolfree() { if (pool->currnr < pool->minnr) { // pool->wait.head is a stack address // wakeup() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } }

Fix: reinit conf->r1bio_pool.wait after assigning newpool.

References

Affected packages