CVE-2025-38723
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38723
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38723.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38723
- Downstream
- Published
- 2025-09-04T16:15:42Z
- Modified
- 2025-09-06T13:01:25Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: BPF: Fix jump offset calculation in tailcall
The extra pass of bpfintjitcompile() skips JIT context initialization which essentially skips offset calculation leaving outoffset = -1, so the jmpoffset in emitbpftailcall is calculated by
"#define jmpoffset (outoffset - (cur_offset))"
is a negative number, which is wrong. The final generated assembly are as follow.
54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c
Before apply this patch, the follow test case will reveal soft lock issues.
cd tools/testing/selftests/bpf/ ./testprogs --allow=tailcalls/tailcallbpf2bpf_1
dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]
- References
-
- https://git.kernel.org/stable/c/17c010fe45def335fe03a0718935416b04c7f349
- https://git.kernel.org/stable/c/1a782fa32e644aa9fbae6c8488f3e61221ac96e1
- https://git.kernel.org/stable/c/9262e3e04621558e875eb5afb5e726b648cd5949
- https://git.kernel.org/stable/c/cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3
- https://git.kernel.org/stable/c/f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94f
- https://git.kernel.org/stable/c/f83d469e16bb1f75991ca67c56786fb2aaa42bea