CVE-2025-38261 (GCVE-0-2025-38261)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: riscv: save the SR_SUM status over switches When threads/tasks are switched we need to ensure the old execution's SR_SUM state is saved and the new thread has the old SR_SUM state restored. The issue was seen under heavy load especially with the syz-stress tool running, with crashes as follows in schedule_tail: Unable to handle kernel access to user memory without uaccess routines at virtual address 000000002749f0d0 Oops [#1] Modules linked in: CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0 Hardware name: riscv-virtio,qemu (DT) epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 ra : task_pid_vnr include/linux/sched.h:1421 [inline] ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264 epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0 gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000 t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0 s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003 a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00 a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0 s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850 s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8 s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2 t5 : ffffffc4043cafba t6 : 0000000000040000 status: 0000000000000120 badaddr: 000000002749f0d0 cause: 000000000000000f Call Trace: [<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 [<ffffffe000005570>] ret_from_exception+0x0/0x14 Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace b5f8f9231dc87dda ]--- The issue comes from the put_user() in schedule_tail (kernel/sched/core.c) doing the following: asmlinkage __visible void schedule_tail(struct task_struct *prev) { ... if (current->set_child_tid) put_user(task_pid_vnr(current), current->set_child_tid); ... } the put_user() macro causes the code sequence to come out as follows: 1: __enable_user_access() 2: reg = task_pid_vnr(current); 3: *current->set_child_tid = reg; 4: __disable_user_access() The problem is that we may have a sleeping function as argument which could clear SR_SUM causing the panic above. This was fixed by evaluating the argument of the put_user() macro outside the user-enabled section in commit 285a76bb2cf5 ("riscv: evaluate put_user() arg before enabling user access")" In order for riscv to take advantage of unsafe_get/put_XXX() macros and to avoid the same issue we had with put_user() and sleeping functions we must ensure code flow can go through switch_to() from within a region of code with SR_SUM enabled and come back with SR_SUM still enabled. This patch addresses the problem allowing future work to enable full use of unsafe_get/put_XXX() macros without needing to take a CSR bit flip cost on every access. Make switch_to() save and restore SR_SUM.
References
Impacted products
Vendor Product Version
Linux Linux Version: 76d2a0493a17d4c8ecc781366850c3c4f8e1a446
Version: 76d2a0493a17d4c8ecc781366850c3c4f8e1a446
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/processor.h",
            "arch/riscv/kernel/asm-offsets.c",
            "arch/riscv/kernel/entry.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "69ea599a8dab93a620c92c255be4239a06290a77",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            },
            {
              "lessThan": "788aa64c01f1262310b4c1fb827a36df170d86ea",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/processor.h",
            "arch/riscv/kernel/asm-offsets.c",
            "arch/riscv/kernel/entry.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: save the SR_SUM status over switches\n\nWhen threads/tasks are switched we need to ensure the old execution\u0027s\nSR_SUM state is saved and the new thread has the old SR_SUM state\nrestored.\n\nThe issue was seen under heavy load especially with the syz-stress tool\nrunning, with crashes as follows in schedule_tail:\n\nUnable to handle kernel access to user memory without uaccess routines\nat virtual address 000000002749f0d0\nOops [#1]\nModules linked in:\nCPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted\n5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0\nHardware name: riscv-virtio,qemu (DT)\nepc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n ra : task_pid_vnr include/linux/sched.h:1421 [inline]\n ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264\nepc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0\n gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000\n t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0\n s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003\n a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00\n a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba\n s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0\n s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850\n s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8\n s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2\n t5 : ffffffc4043cafba t6 : 0000000000040000\nstatus: 0000000000000120 badaddr: 000000002749f0d0 cause:\n000000000000000f\nCall Trace:\n[\u003cffffffe00008c8b0\u003e] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n[\u003cffffffe000005570\u003e] ret_from_exception+0x0/0x14\nDumping ftrace buffer:\n   (ftrace buffer empty)\n---[ end trace b5f8f9231dc87dda ]---\n\nThe issue comes from the put_user() in schedule_tail\n(kernel/sched/core.c) doing the following:\n\nasmlinkage __visible void schedule_tail(struct task_struct *prev)\n{\n...\n        if (current-\u003eset_child_tid)\n                put_user(task_pid_vnr(current), current-\u003eset_child_tid);\n...\n}\n\nthe put_user() macro causes the code sequence to come out as follows:\n\n1:\t__enable_user_access()\n2:\treg = task_pid_vnr(current);\n3:\t*current-\u003eset_child_tid = reg;\n4:\t__disable_user_access()\n\nThe problem is that we may have a sleeping function as argument which\ncould clear SR_SUM causing the panic above. This was fixed by\nevaluating the argument of the put_user() macro outside the user-enabled\nsection in commit 285a76bb2cf5 (\"riscv: evaluate put_user() arg before\nenabling user access\")\"\n\nIn order for riscv to take advantage of unsafe_get/put_XXX() macros and\nto avoid the same issue we had with put_user() and sleeping functions we\nmust ensure code flow can go through switch_to() from within a region of\ncode with SR_SUM enabled and come back with SR_SUM still enabled. This\npatch addresses the problem allowing future work to enable full use of\nunsafe_get/put_XXX() macros without needing to take a CSR bit flip cost\non every access. Make switch_to() save and restore SR_SUM."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:33.410Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/69ea599a8dab93a620c92c255be4239a06290a77"
        },
        {
          "url": "https://git.kernel.org/stable/c/788aa64c01f1262310b4c1fb827a36df170d86ea"
        }
      ],
      "title": "riscv: save the SR_SUM status over switches",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38261",
    "datePublished": "2025-07-09T10:42:36.810Z",
    "dateReserved": "2025-04-16T04:51:23.997Z",
    "dateUpdated": "2025-07-28T04:16:33.410Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38261\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-09T11:15:28.460\",\"lastModified\":\"2025-11-20T20:14:50.460\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: save the SR_SUM status over switches\\n\\nWhen threads/tasks are switched we need to ensure the old execution\u0027s\\nSR_SUM state is saved and the new thread has the old SR_SUM state\\nrestored.\\n\\nThe issue was seen under heavy load especially with the syz-stress tool\\nrunning, with crashes as follows in schedule_tail:\\n\\nUnable to handle kernel access to user memory without uaccess routines\\nat virtual address 000000002749f0d0\\nOops [#1]\\nModules linked in:\\nCPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted\\n5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0\\nHardware name: riscv-virtio,qemu (DT)\\nepc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\\n ra : task_pid_vnr include/linux/sched.h:1421 [inline]\\n ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264\\nepc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0\\n gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000\\n t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0\\n s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003\\n a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00\\n a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba\\n s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0\\n s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850\\n s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8\\n s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2\\n t5 : ffffffc4043cafba t6 : 0000000000040000\\nstatus: 0000000000000120 badaddr: 000000002749f0d0 cause:\\n000000000000000f\\nCall Trace:\\n[\u003cffffffe00008c8b0\u003e] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\\n[\u003cffffffe000005570\u003e] ret_from_exception+0x0/0x14\\nDumping ftrace buffer:\\n   (ftrace buffer empty)\\n---[ end trace b5f8f9231dc87dda ]---\\n\\nThe issue comes from the put_user() in schedule_tail\\n(kernel/sched/core.c) doing the following:\\n\\nasmlinkage __visible void schedule_tail(struct task_struct *prev)\\n{\\n...\\n        if (current-\u003eset_child_tid)\\n                put_user(task_pid_vnr(current), current-\u003eset_child_tid);\\n...\\n}\\n\\nthe put_user() macro causes the code sequence to come out as follows:\\n\\n1:\\t__enable_user_access()\\n2:\\treg = task_pid_vnr(current);\\n3:\\t*current-\u003eset_child_tid = reg;\\n4:\\t__disable_user_access()\\n\\nThe problem is that we may have a sleeping function as argument which\\ncould clear SR_SUM causing the panic above. This was fixed by\\nevaluating the argument of the put_user() macro outside the user-enabled\\nsection in commit 285a76bb2cf5 (\\\"riscv: evaluate put_user() arg before\\nenabling user access\\\")\\\"\\n\\nIn order for riscv to take advantage of unsafe_get/put_XXX() macros and\\nto avoid the same issue we had with put_user() and sleeping functions we\\nmust ensure code flow can go through switch_to() from within a region of\\ncode with SR_SUM enabled and come back with SR_SUM still enabled. This\\npatch addresses the problem allowing future work to enable full use of\\nunsafe_get/put_XXX() macros without needing to take a CSR bit flip cost\\non every access. Make switch_to() save and restore SR_SUM.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: guardar el estado SR_SUM durante los cambios Cuando se cambian los subprocesos o las tareas, debemos asegurarnos de que se guarde el estado SR_SUM de la ejecuci\u00f3n anterior y que el nuevo subproceso tenga el estado SR_SUM anterior restaurado. El problema se observ\u00f3 bajo carga pesada, especialmente con la herramienta syz-stress ejecut\u00e1ndose, con fallos como los siguientes en schedule_tail: No se puede manejar el acceso del kernel a la memoria del usuario sin rutinas uaccess en la direcci\u00f3n virtual 000000002749f0d0 Oops [#1] M\u00f3dulos vinculados: CPU: 1 PID: 4875 Comm: syz-executor.0 No contaminado 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0 Nombre del hardware: riscv-virtio,qemu (DT) epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 ra : task_pid_vnr include/linux/sched.h:1421 [inline] ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264 epc: ffffffe00008c8b0 ra: ffffffe00008c8ae sp: ffffffe025d17ec0 gp: ffffffe005d25378 tp: ffffffe00f0d0000 t0: 0000000000000000 t1: 0000000000000001 t2: 00000000000f4240 s0: ffffffe025d17ee0 s1: 000000002749f0d0 a0: 00000000000002a a1: 000000000000003 a2: 1ffffffc0cfac500 a3: ffffffe0000c80cc a4: 5ae9db91c19bbe00 a5: 0000000000000000 a6: 0000000000f00000 a7: ffffffe000082eba s2: 0000000000040000 s3: ffffffe00eef96c0 s4: ffffffe022c77fe0 s5: 0000000000004000 s6: ffffffe067d74e00 s7: ffffffe067d74850 s8: ffffffe067d73e18 s9: ffffffe067d74e00 s10: ffffffe00eef96e8 s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2 t5 : ffffffc4043cafba t6 : 0000000000040000 estado: 0000000000000120 direcci\u00f3n incorrecta: 000000002749f0d0 causa: 000000000000000f Seguimiento de llamadas: [] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 [] ret_from_exception+0x0/0x14 Volcando buffer ftrace: (ftrace buffer vac\u00edo) ---[ fin de seguimiento b5f8f9231dc87dda ]--- El problema proviene de put_user() en schedule_tail (kernel/sched/core.c) que hace lo siguiente: asmlinkage __visible void schedule_tail(struct task_struct *prev) { ... if (current-\u0026gt;set_child_tid) put_user(task_pid_vnr(current), current-\u0026gt;set_child_tid); ... } la macro put_user() hace que la secuencia de c\u00f3digo salga de la siguiente manera: 1: __enable_user_access() 2: reg = task_pid_vnr(current); 3: *current-\u0026gt;set_child_tid = reg; 4: __disable_user_access(). El problema radica en que podr\u00edamos tener una funci\u00f3n inactiva como argumento que podr\u00eda borrar SR_SUM, causando el p\u00e1nico mencionado. Esto se solucion\u00f3 evaluando el argumento de la macro put_user() fuera de la secci\u00f3n habilitada por el usuario en el commit 285a76bb2cf5 (\\\"riscv: evaluar el argumento put_user() antes de habilitar el acceso del usuario\\\"). Para que riscv aproveche las macros unsafe_get/put_XXX() y evite el mismo problema que tuvimos con put_user() y las funciones inactivas, debemos asegurar que el flujo de c\u00f3digo pueda pasar por switch_to() desde una regi\u00f3n de c\u00f3digo con SR_SUM habilitado y regresar con SR_SUM a\u00fan habilitado. Este parche soluciona el problema, lo que permitir\u00e1 que en trabajos futuros se habilite el uso completo de las macros unsafe_get/put_XXX() sin necesidad de aplicar un coste de cambio de bit CSR en cada acceso. Haga que switch_to() guarde y restaure SR_SUM.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.15\",\"versionEndExcluding\":\"6.15.5\",\"matchCriteriaId\":\"EFF2A66B-BE62-44E4-9625-6925863DFD4A\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/69ea599a8dab93a620c92c255be4239a06290a77\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/788aa64c01f1262310b4c1fb827a36df170d86ea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.