CVE-2025-39887
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39887
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39887.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39887
- Downstream
- Published
- 2025-09-23T06:00:53.648Z
- Modified
- 2025-12-02T19:39:32.026375Z
- Summary
- tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()
A crash was observed with the following output:
BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 92 Comm: osnoisecpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary) RIP: 0010:bitmapparselist+0x53/0x3e0 Call Trace: <TASK> osnoisecpuswrite+0x7a/0x190 vfswrite+0xf8/0x410 ? dosysopenat2+0x88/0xd0 ksyswrite+0x60/0xd0 dosyscall64+0xa4/0x260 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>
This issue can be reproduced by below code:
fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY); write(fd, "0-2", 0);
When user pass 'count=0' to osnoisecpuswrite(), kmalloc() will return ZEROSIZEPTR (16) and cpulist_parse() treat it as a normal value, which trigger the null pointer dereference. Add check for the parameter 'count'.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39887.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/c1628c00c4351dd0727ef7f670694f68d9e663d8
- https://git.kernel.org/stable/c/e33228a2cc7ff706ca88533464e8a3b525b961ed
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39887.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-39887