CVE-2025-38398 (GCVE-0-2025-38398)
Vulnerability from cvelistv5
Published
2025-07-25 12:53
Modified
2025-07-28 04:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: spi: spi-qpic-snand: reallocate BAM transactions Using the mtd_nandbiterrs module for testing the driver occasionally results in weird things like below. 1. swiotlb mapping fails with the following message: [ 85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots) [ 85.932937] qcom_snand 79b0000.spi: failure in mapping desc [ 87.999314] qcom_snand 79b0000.spi: failure to write raw page [ 87.999352] mtd_nandbiterrs: error: write_oob failed (-110) Rebooting the board after this causes a panic due to a NULL pointer dereference. 2. If the swiotlb mapping does not fail, rebooting the board may result in a different panic due to a bad spinlock magic: [ 256.104459] BUG: spinlock bad magic on CPU#3, procd/2241 [ 256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b ... Investigating the issue revealed that these symptoms are results of memory corruption which is caused by out of bounds access within the driver. The driver uses a dynamically allocated structure for BAM transactions, which structure must have enough space for all possible variations of different flash operations initiated by the driver. The required space heavily depends on the actual number of 'codewords' which is calculated from the pagesize of the actual NAND chip. Although the qcom_nandc_alloc() function allocates memory for the BAM transactions during probe, but since the actual number of 'codewords' is not yet know the allocation is done for one 'codeword' only. Because of this, whenever the driver does a flash operation, and the number of the required transactions exceeds the size of the allocated arrays the driver accesses memory out of the allocated range. To avoid this, change the code to free the initially allocated BAM transactions memory, and allocate a new one once the actual number of 'codewords' required for a given NAND chip is known.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/86fb36de1132b560f9305f0c78fa69f459fa0980
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d85d0380292a7e618915069c3579ae23c7c80339
Impacted products
Vendor Product Version
Linux Linux Version: 7304d1909080ef0c9da703500a97f46c98393fcd
Version: 7304d1909080ef0c9da703500a97f46c98393fcd
 Create a notification for this product.
   Linux Linux Version: 6.15
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-qpic-snand.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86fb36de1132b560f9305f0c78fa69f459fa0980",
              "status": "affected",
              "version": "7304d1909080ef0c9da703500a97f46c98393fcd",
              "versionType": "git"
            },
            {
              "lessThan": "d85d0380292a7e618915069c3579ae23c7c80339",
              "status": "affected",
              "version": "7304d1909080ef0c9da703500a97f46c98393fcd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-qpic-snand.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-qpic-snand: reallocate BAM transactions\n\nUsing the mtd_nandbiterrs module for testing the driver occasionally\nresults in weird things like below.\n\n1. swiotlb mapping fails with the following message:\n\n  [   85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots)\n  [   85.932937] qcom_snand 79b0000.spi: failure in mapping desc\n  [   87.999314] qcom_snand 79b0000.spi: failure to write raw page\n  [   87.999352] mtd_nandbiterrs: error: write_oob failed (-110)\n\n  Rebooting the board after this causes a panic due to a NULL pointer\n  dereference.\n\n2. If the swiotlb mapping does not fail, rebooting the board may result\n   in a different panic due to a bad spinlock magic:\n\n  [  256.104459] BUG: spinlock bad magic on CPU#3, procd/2241\n  [  256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b\n  ...\n\nInvestigating the issue revealed that these symptoms are results of\nmemory corruption which is caused by out of bounds access within the\ndriver.\n\nThe driver uses a dynamically allocated structure for BAM transactions,\nwhich structure must have enough space for all possible variations of\ndifferent flash operations initiated by the driver. The required space\nheavily depends on the actual number of \u0027codewords\u0027 which is calculated\nfrom the pagesize of the actual NAND chip.\n\nAlthough the qcom_nandc_alloc() function allocates memory for the BAM\ntransactions during probe, but since the actual number of \u0027codewords\u0027\nis not yet know the allocation is done for one \u0027codeword\u0027 only.\n\nBecause of this, whenever the driver does a flash operation, and the\nnumber of the required transactions exceeds the size of the allocated\narrays the driver accesses memory out of the allocated range.\n\nTo avoid this, change the code to free the initially allocated BAM\ntransactions memory, and allocate a new one once the actual number of\n\u0027codewords\u0027 required for a given NAND chip is known."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:04.890Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86fb36de1132b560f9305f0c78fa69f459fa0980"
        },
        {
          "url": "https://git.kernel.org/stable/c/d85d0380292a7e618915069c3579ae23c7c80339"
        }
      ],
      "title": "spi: spi-qpic-snand: reallocate BAM transactions",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38398",
    "datePublished": "2025-07-25T12:53:42.398Z",
    "dateReserved": "2025-04-16T04:51:24.012Z",
    "dateUpdated": "2025-07-28T04:21:04.890Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38398\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-25T13:15:29.303\",\"lastModified\":\"2025-07-25T15:29:19.837\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: spi-qpic-snand: reallocate BAM transactions\\n\\nUsing the mtd_nandbiterrs module for testing the driver occasionally\\nresults in weird things like below.\\n\\n1. swiotlb mapping fails with the following message:\\n\\n  [   85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots)\\n  [   85.932937] qcom_snand 79b0000.spi: failure in mapping desc\\n  [   87.999314] qcom_snand 79b0000.spi: failure to write raw page\\n  [   87.999352] mtd_nandbiterrs: error: write_oob failed (-110)\\n\\n  Rebooting the board after this causes a panic due to a NULL pointer\\n  dereference.\\n\\n2. If the swiotlb mapping does not fail, rebooting the board may result\\n   in a different panic due to a bad spinlock magic:\\n\\n  [  256.104459] BUG: spinlock bad magic on CPU#3, procd/2241\\n  [  256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b\\n  ...\\n\\nInvestigating the issue revealed that these symptoms are results of\\nmemory corruption which is caused by out of bounds access within the\\ndriver.\\n\\nThe driver uses a dynamically allocated structure for BAM transactions,\\nwhich structure must have enough space for all possible variations of\\ndifferent flash operations initiated by the driver. The required space\\nheavily depends on the actual number of \u0027codewords\u0027 which is calculated\\nfrom the pagesize of the actual NAND chip.\\n\\nAlthough the qcom_nandc_alloc() function allocates memory for the BAM\\ntransactions during probe, but since the actual number of \u0027codewords\u0027\\nis not yet know the allocation is done for one \u0027codeword\u0027 only.\\n\\nBecause of this, whenever the driver does a flash operation, and the\\nnumber of the required transactions exceeds the size of the allocated\\narrays the driver accesses memory out of the allocated range.\\n\\nTo avoid this, change the code to free the initially allocated BAM\\ntransactions memory, and allocate a new one once the actual number of\\n\u0027codewords\u0027 required for a given NAND chip is known.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: spi-qpic-snand: reasignar transacciones BAM El uso del m\u00f3dulo mtd_nandbiterrs para probar el controlador ocasionalmente da como resultado cosas extra\u00f1as como la siguiente. 1. La asignaci\u00f3n de swiotlb falla con el siguiente mensaje: [85.926216] qcom_snand 79b0000.spi: el b\u00fafer de swiotlb est\u00e1 lleno (sz: 4294967294 bytes), total 512 (ranuras), usado 0 (ranuras) [85.932937] qcom_snand 79b0000.spi: error en la asignaci\u00f3n desc [87.999314] qcom_snand 79b0000.spi: error al escribir la p\u00e1gina sin formato [87.999352] mtd_nandbiterrs: error: write_oob fall\u00f3 (-110) Reiniciar la placa despu\u00e9s de esto provoca un p\u00e1nico debido a una desreferencia de puntero NULL. 2. Si el mapeo swiotlb no falla, reiniciar la placa puede resultar en un p\u00e1nico diferente debido a un spinlock magic defectuoso: [ 256.104459] BUG: spinlock bad magic on CPU#3, procd/2241 [ 256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b ... La investigaci\u00f3n del problema revel\u00f3 que estos s\u00edntomas son resultados de la corrupci\u00f3n de memoria que es causada por el acceso fuera de los l\u00edmites dentro del controlador. El controlador utiliza una estructura asignada din\u00e1micamente para las transacciones BAM, dicha estructura debe tener suficiente espacio para todas las posibles variaciones de diferentes operaciones flash iniciadas por el controlador. El espacio requerido depende en gran medida del n\u00famero real de \u0027palabras de c\u00f3digo\u0027 que se calcula a partir del tama\u00f1o de p\u00e1gina del chip NAND real. Aunque la funci\u00f3n qcom_nandc_alloc() asigna memoria para las transacciones BAM durante el sondeo, pero como el n\u00famero real de \u0027palabras de c\u00f3digo\u0027 a\u00fan no se conoce, la asignaci\u00f3n se realiza solo para una \u0027palabra de c\u00f3digo\u0027. Por ello, siempre que el controlador realiza una operaci\u00f3n de flash y el n\u00famero de transacciones requeridas excede el tama\u00f1o de las matrices asignadas, accede a memoria fuera del rango asignado. Para evitarlo, modifique el c\u00f3digo para liberar la memoria de transacciones BAM inicialmente asignada y asigne una nueva una vez que se conozca el n\u00famero real de palabras de c\u00f3digo requeridas para un chip NAND determinado.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/86fb36de1132b560f9305f0c78fa69f459fa0980\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d85d0380292a7e618915069c3579ae23c7c80339\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.