CVE-2025-38257
published 2025-07-09CVE-2025-38257: In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
s390/pkey: Prevent overflow in size calculation for memdup_user()
Number of apqn target list entries contained in 'nr_apqns' variable is
determined by userspace via an ioctl call so the result of the product in
calculation of size passed to memdup_user() may overflow.
In this case the actual size of the allocated area and the value
describing it won't be in sync leading to various types of unpredictable
behaviour later.
Use a proper memdup_array_user() helper which returns an error if an
overflow is detected. Note that it is different from when nr_apqns is
initially zero - that case is considered valid and should be handled in
subsequent pkey_handler implementations.
Found by Linux Verification Center (linuxtesting.org).
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d < ad1bdd24a02d5a8d119af8e4cd50933780a6d29f | ad1bdd24a02d5a8d119af8e4cd50933780a6d29f |
| linux | linux | >= f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d < faa1ab4a23c42e34dc000ef4977b751d94d5148c | faa1ab4a23c42e34dc000ef4977b751d94d5148c |
| linux | linux | >= f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d < 88f3869649edbc4a13f6c2877091f81cd5a50f05 | 88f3869649edbc4a13f6c2877091f81cd5a50f05 |
| linux | linux | >= f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d < f855b119e62b004a5044ed565f2a2b368c4d3f16 | f855b119e62b004a5044ed565f2a2b368c4d3f16 |
| linux | linux | >= f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d < 73483ca7e07a5e39bdf612eec9d3d293e8bef649 | 73483ca7e07a5e39bdf612eec9d3d293e8bef649 |
| linux | linux | >= f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d < 7360ee47599af91a1d5f4e74d635d9408a54e489 | 7360ee47599af91a1d5f4e74d635d9408a54e489 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.37-1 | 6.12.37-1 |
| linux | linux_kernel | >= 0 < 6.12.37-1 | 6.12.37-1 |
| linux | linux_kernel | >= 0 < 5.15.0-156.166 | 5.15.0-156.166 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 5.16 < 6.1.143 | 6.1.143 |
| linux | linux_kernel | >= 5.4 < 5.15.187 | 5.15.187 |
| linux | linux_kernel | >= 6.13 < 6.15.5 | 6.15.5 |
| linux | linux_kernel | >= 6.2 < 6.6.96 | 6.6.96 |
| linux | linux_kernel | >= 6.7 < 6.12.36 | 6.12.36 |
| msrc | azl3_kernel_6.6.92.2-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0 | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-6.8 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH