CVE-2025-38300
published 2025-07-10CVE-2025-38300: In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()
Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():
1] If dma_map_sg() fails for areq->dst, the device driver would try to free
DMA memory it has not allocated in the first place. To fix this, on the
"theend_sgs" error path, call dma unmap only if the corresponding dma
map was successful.
2] If the dma_map_single() call for the IV fails, the device driver would
try to free an invalid DMA memory address on the "theend_iv" path:
------------[ cut here ]------------
DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address
WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90
Modules linked in: skcipher_example(O+)
CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT
Tainted: [O]=OOT_MODULE
Hardware name: OrangePi Zero2 (DT)
pc : check_unmap+0x123c/0x1b90
lr : check_unmap+0x123c/0x1b90
...
Call trace:
check_unmap+0x123c/0x1b90 (P)
debug_dma_unmap_page+0xac/0xc0
dma_unmap_page_attrs+0x1f4/0x5fc
sun8i_ce_cipher_do_one+0x1bd4/0x1f40
crypto_pump_work+0x334/0x6e0
kthread_worker_fn+0x21c/0x438
kthread+0x374/0x664
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
To fix this, check for !dma_mapping_error() before calling
dma_unmap_single() on the "theend_iv" path.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 06f751b613296cc34b86fc83fccaf30d646eb8bc < a0ac3f85b2e3ef529e852f252a70311f9029d5e6 | a0ac3f85b2e3ef529e852f252a70311f9029d5e6 |
| linux | linux | >= 06f751b613296cc34b86fc83fccaf30d646eb8bc < c62b79c1c51303dbcb6edfa4de0ee176f4934c52 | c62b79c1c51303dbcb6edfa4de0ee176f4934c52 |
| linux | linux | >= 06f751b613296cc34b86fc83fccaf30d646eb8bc < 19d267d9fad00d94ad8477899e38ed7c11f33fb6 | 19d267d9fad00d94ad8477899e38ed7c11f33fb6 |
| linux | linux | >= 06f751b613296cc34b86fc83fccaf30d646eb8bc < 4051250e5db489f8ad65fc337e2677b9b568ac72 | 4051250e5db489f8ad65fc337e2677b9b568ac72 |
| linux | linux | >= 06f751b613296cc34b86fc83fccaf30d646eb8bc < f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 | f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.35-1 | 6.12.35-1 |
| linux | linux_kernel | >= 0 < 6.12.35-1 | 6.12.35-1 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 5.5 < 6.1.142 | 6.1.142 |
| linux | linux_kernel | >= 6.13 < 6.15.3 | 6.15.3 |
| linux | linux_kernel | >= 6.2 < 6.6.94 | 6.6.94 |
| linux | linux_kernel | >= 6.7 < 6.12.34 | 6.12.34 |
| msrc | azl3_kernel_6.6.92.2-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kernel_5.10.78.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.200.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.202.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_kernel_5.10.74.1-1_on_cbl_mariner_1.0 | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-6.8 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM