CVE-2025-38581
published 2025-08-19CVE-2025-38581: In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp - Fix crash when rebind ccp device for ccp.ko
When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding
the ccp device causes the following crash:
$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind
$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind
[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098
[ 204.978026] #PF: supervisor write access in kernel mode
[ 204.979126] #PF: error_code(0x0002) - not-present page
[ 204.980226] PGD 0 P4D 0
[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI
...
[ 204.997852] Call Trace:
[ 204.999074]
[ 205.000297] start_creating+0x9f/0x1c0
[ 205.001533] debugfs_create_dir+0x1f/0x170
[ 205.002769] ? srso_return_thunk+0x5/0x5f
[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]
[ 205.005241] ccp5_init+0x8b2/0x960 [ccp]
[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]
[ 205.007709] sp_init+0x5f/0x80 [ccp]
[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]
[ 205.010165] ? srso_return_thunk+0x5/0x5f
[ 205.011376] local_pci_probe+0x4f/0xb0
[ 205.012584] pci_device_probe+0xdb/0x230
[ 205.013810] really_probe+0xed/0x380
[ 205.015024] __driver_probe_device+0x7e/0x160
[ 205.016240] device_driver_attach+0x2f/0x60
[ 205.017457] bind_store+0x7c/0xb0
[ 205.018663] drv_attr_store+0x28/0x40
[ 205.019868] sysfs_kf_write+0x5f/0x70
[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0
[ 205.022267] vfs_write+0x308/0x440
[ 205.023453] ksys_write+0x6d/0xe0
[ 205.024616] __x64_sys_write+0x1e/0x30
[ 205.025778] x64_sys_call+0x16ba/0x2150
[ 205.026942] do_syscall_64+0x56/0x1e0
[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 205.029276] RIP: 0033:0x7fbc36f10104
[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5
This patch sets ccp_debugfs_dir to NULL after destroying it in
ccp5_debugfs_destroy, allowing
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.148-1 (bookworm) | linux 6.1.148-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.148-1 (bookworm) | linux 6.1.148-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < a25ab6dfa0ce323ec308966988be6b675eb9d3e5 | a25ab6dfa0ce323ec308966988be6b675eb9d3e5 |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < ce63a83925964ab7564bd216bd92b80bc365492e | ce63a83925964ab7564bd216bd92b80bc365492e |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < 20c0ed8dd65834e6bab464f54cd6ff68659bacb9 | 20c0ed8dd65834e6bab464f54cd6ff68659bacb9 |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < 2d4060f05e74dbee884ba723f6afd9282befc3c5 | 2d4060f05e74dbee884ba723f6afd9282befc3c5 |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < db111468531777cac8b4beb6515a88a54b0c4a74 | db111468531777cac8b4beb6515a88a54b0c4a74 |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < 9dea08eac4f6d6fbbae59992978252e2edab995d | 9dea08eac4f6d6fbbae59992978252e2edab995d |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < 6eadf50c1d894cb34f3237064063207460946040 | 6eadf50c1d894cb34f3237064063207460946040 |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < 64ec9a7e7a6398b172ab6feba60e952163a1c3d5 | 64ec9a7e7a6398b172ab6feba60e952163a1c3d5 |
| linux | linux | >= 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 < 181698af38d3f93381229ad89c09b5bd0496661a | 181698af38d3f93381229ad89c09b5bd0496661a |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.148-1 | 6.1.148-1 |
| linux | linux_kernel | >= 0 < 6.12.43-1 | 6.12.43-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 4.13 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.148 | 6.1.148 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.15.10 | 6.15.10 |
| linux | linux_kernel | >= 6.16 < 6.16.1 | 6.16.1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM