DEBIAN-CVE-2025-38214

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/DEBIAN-CVE-2025-38214
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-38214.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-38214
Upstream
Published
2025-07-04T14:15:29Z
Modified
2025-09-17T10:16:11.121211Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fbsetvar to prevent null-ptr-deref in fbvideomodetovar If fbaddvideomode() in fbsetvar() fails to allocate memory for fbvideomode, later it may lead to a null-ptr dereference in fbvideomodetovar(), as the fbinfo is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fbinfo->var. ================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fbvideomodetovar+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: displaytovar+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbconresize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resizescreen drivers/tty/vt/vt.c:1176 [inline] vcdoresize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbconmodechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbconupdatevcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 dofbioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fbioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfsioctl fs/ioctl.c:48 [inline] _dosysioctl fs/ioctl.c:753 [inline] _sesysioctl fs/ioctl.c:739 [inline] _x64sysioctl+0x19a/0x210 fs/ioctl.c:739 dosyscall64+0x33/0x40 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x67/0xd1 ================================================================ The reason is that fbinfo->var is being modified in fbsetvar(), and then fbvideomodetovar() is called. If it fails to add the mode to fbinfo->modelist, fbsetvar() returns error, but does not restore the old value of fbinfo->var. Restore fb_info->var on failure the same way it is done earlier in the function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.147-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.1.119-1
6.1.123-1
6.1.124-1
6.1.128-1
6.1.129-1
6.1.133-1
6.1.135-1
6.1.137-1
6.1.139-1
6.1.140-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.35-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.35-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}