CVE-2025-38723
published 2025-09-04CVE-2025-38723: In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix jump offset calculation in tailcall The extra pass of…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: BPF: Fix jump offset calculation in tailcall
The extra pass of bpf_int_jit_compile() skips JIT context initialization
which essentially skips offset calculation leaving out_offset = -1, so
the jmp_offset in emit_bpf_tail_call is calculated by
"#define jmp_offset (out_offset - (cur_offset))"
is a negative number, which is wrong. The final generated assembly are
as follow.
54: bgeu $a2, $t1, -8 # 0x0000004c
58: addi.d $a6, $s5, -1
5c: bltz $a6, -16 # 0x0000004c
60: alsl.d $t2, $a2, $a1, 0x3
64: ld.d $t2, $t2, 264
68: beq $t2, $zero, -28 # 0x0000004c
Before apply this patch, the follow test case will reveal soft lock issues.
cd tools/testing/selftests/bpf/
./test_progs --allow=tailcalls/tailcall_bpf2bpf_1
dmesg:
watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 5dc615520c4dfb358245680f1904bad61116648e < 1a782fa32e644aa9fbae6c8488f3e61221ac96e1 | 1a782fa32e644aa9fbae6c8488f3e61221ac96e1 |
| linux | linux | >= 5dc615520c4dfb358245680f1904bad61116648e < 17c010fe45def335fe03a0718935416b04c7f349 | 17c010fe45def335fe03a0718935416b04c7f349 |
| linux | linux | >= 5dc615520c4dfb358245680f1904bad61116648e < f83d469e16bb1f75991ca67c56786fb2aaa42bea | f83d469e16bb1f75991ca67c56786fb2aaa42bea |
| linux | linux | >= 5dc615520c4dfb358245680f1904bad61116648e < f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94f | f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94f |
| linux | linux | >= 5dc615520c4dfb358245680f1904bad61116648e < 9262e3e04621558e875eb5afb5e726b648cd5949 | 9262e3e04621558e875eb5afb5e726b648cd5949 |
| linux | linux | >= 5dc615520c4dfb358245680f1904bad61116648e < cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3 | cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.43-1 | 6.12.43-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 6.1 < 6.1.149 | 6.1.149 |
| linux | linux_kernel | >= 6.13 < 6.15.11 | 6.15.11 |
| linux | linux_kernel | >= 6.16 < 6.16.2 | 6.16.2 |
| linux | linux_kernel | >= 6.2 < 6.6.103 | 6.6.103 |
| linux | linux_kernel | >= 6.7 < 6.12.43 | 6.12.43 |
| msrc | azl3_kernel_6.6.96.2-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.96.2-2_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM