7.1

CVE-2025-38445

md/raid1: Fix stack memory use after return in raid1_reshape

In the Linux kernel, the following vulnerability has been resolved:

md/raid1: Fix stack memory use after return in raid1_reshape

In the raid1_reshape function, newpool is
allocated on the stack and assigned to conf->r1bio_pool.
This results in conf->r1bio_pool.wait.head pointing
to a stack address.
Accessing this address later can lead to a kernel panic.

Example access path:

raid1_reshape()
{
	// newpool is on the stack
	mempool_t newpool, oldpool;
	// initialize newpool.wait.head to stack address
	mempool_init(&newpool, ...);
	conf->r1bio_pool = newpool;
}

raid1_read_request() or raid1_write_request()
{
	alloc_r1bio()
	{
		mempool_alloc()
		{
			// if pool->alloc fails
			remove_element()
			{
				--pool->curr_nr;
			}
		}
	}
}

mempool_free()
{
	if (pool->curr_nr < pool->min_nr) {
		// pool->wait.head is a stack address
		// wake_up() will try to access this invalid address
		// which leads to a kernel panic
		return;
		wake_up(&pool->wait);
	}
}

Fix:
reinit conf->r1bio_pool.wait after assigning newpool.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.18 < 5.4.296
LinuxLinux Kernel Version >= 5.5 < 5.10.240
LinuxLinux Kernel Version >= 5.11 < 5.15.189
LinuxLinux Kernel Version >= 5.16 < 6.1.146
LinuxLinux Kernel Version >= 6.2 < 6.6.99
LinuxLinux Kernel Version >= 6.7 < 6.12.39
LinuxLinux Kernel Version >= 6.13 < 6.15.7
LinuxLinux Kernel Version6.16 Updaterc1
LinuxLinux Kernel Version6.16 Updaterc2
LinuxLinux Kernel Version6.16 Updaterc3
LinuxLinux Kernel Version6.16 Updaterc4
LinuxLinux Kernel Version6.16 Updaterc5
DebianDebian Linux Version11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.061
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/12b00ec99624f8da8c325f2dd6e807df26df0025
Patch
https://git.kernel.org/stable/c/48da050b4f54ed639b66278d0ae6f4107b2c4e2d
Patch
https://git.kernel.org/stable/c/5f35e48b76655e45522df338876dfef88dafcc71
Patch
https://git.kernel.org/stable/c/61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb
Patch
https://git.kernel.org/stable/c/776e6186dc9ecbdb8a1b706e989166c8a99bbf64
Patch
https://git.kernel.org/stable/c/d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98
Patch
https://git.kernel.org/stable/c/d8a6853d00fbaa810765c8ed2f452a5832273968
Patch
https://git.kernel.org/stable/c/df5894014a92ff0196dbc212a7764e97366fd2b7
Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
Third Party Advisory