CVE-2025-39788 (GCVE-0-2025-39788)
Vulnerability from cvelistv5
Published
2025-09-11 16:56
Modified
2025-09-11 16:56
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0. This is because the left hand side of the shift is 1, which is of type int, i.e. 31 bits wide. Shifting by more than that width results in undefined behaviour. Fix this by switching to the BIT() macro, which applies correct type casting as required. This ensures the correct value is written to UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift warning: UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21 shift exponent 32 is too large for 32-bit type 'int' For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE write.
Impacted products
Vendor Product Version
Linux Linux Version: 55f4b1f73631a0817717fe6e98517de51b4c3527
Version: 55f4b1f73631a0817717fe6e98517de51b4c3527
Version: 55f4b1f73631a0817717fe6e98517de51b4c3527
Version: 55f4b1f73631a0817717fe6e98517de51b4c3527
Version: 55f4b1f73631a0817717fe6e98517de51b4c3527
Version: 55f4b1f73631a0817717fe6e98517de51b4c3527
Version: 55f4b1f73631a0817717fe6e98517de51b4c3527
Create a notification for this product.
   Linux Linux Version: 5.9
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/host/ufs-exynos.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "01510a9e8222f11cce064410f3c2fcf0756c0a08",
              "status": "affected",
              "version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
              "versionType": "git"
            },
            {
              "lessThan": "098b2c8ee208c77126839047b9e6e1925bb35baa",
              "status": "affected",
              "version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
              "versionType": "git"
            },
            {
              "lessThan": "c1f025da8f370a015e412b55cbcc583f91de8316",
              "status": "affected",
              "version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
              "versionType": "git"
            },
            {
              "lessThan": "6d53b2a134da77eb7fe65c5c7c7a3c193539a78a",
              "status": "affected",
              "version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
              "versionType": "git"
            },
            {
              "lessThan": "dc8fb963742f1a38d284946638f9358bdaa0ddee",
              "status": "affected",
              "version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
              "versionType": "git"
            },
            {
              "lessThan": "5b9f1ef293428ea9c0871d96fcec2a87c4445832",
              "status": "affected",
              "version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
              "versionType": "git"
            },
            {
              "lessThan": "01aad16c2257ab8ff33b152b972c9f2e1af47912",
              "status": "affected",
              "version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/host/ufs-exynos.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc1",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\n\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\nincorrectly as 0.\n\nThis is because the left hand side of the shift is 1, which is of type\nint, i.e. 31 bits wide. Shifting by more than that width results in\nundefined behaviour.\n\nFix this by switching to the BIT() macro, which applies correct type\ncasting as required. This ensures the correct value is written to\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\nwarning:\n\n    UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\n    shift exponent 32 is too large for 32-bit type \u0027int\u0027\n\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\nwrite."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T16:56:37.173Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/01510a9e8222f11cce064410f3c2fcf0756c0a08"
        },
        {
          "url": "https://git.kernel.org/stable/c/098b2c8ee208c77126839047b9e6e1925bb35baa"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1f025da8f370a015e412b55cbcc583f91de8316"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d53b2a134da77eb7fe65c5c7c7a3c193539a78a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc8fb963742f1a38d284946638f9358bdaa0ddee"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b9f1ef293428ea9c0871d96fcec2a87c4445832"
        },
        {
          "url": "https://git.kernel.org/stable/c/01aad16c2257ab8ff33b152b972c9f2e1af47912"
        }
      ],
      "title": "scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39788",
    "datePublished": "2025-09-11T16:56:37.173Z",
    "dateReserved": "2025-04-16T07:20:57.131Z",
    "dateUpdated": "2025-09-11T16:56:37.173Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39788\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-11T17:15:45.070\",\"lastModified\":\"2025-09-15T15:22:38.297\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\\n\\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\\nincorrectly as 0.\\n\\nThis is because the left hand side of the shift is 1, which is of type\\nint, i.e. 31 bits wide. Shifting by more than that width results in\\nundefined behaviour.\\n\\nFix this by switching to the BIT() macro, which applies correct type\\ncasting as required. This ensures the correct value is written to\\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\\nwarning:\\n\\n    UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\\n    shift exponent 32 is too large for 32-bit type \u0027int\u0027\\n\\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\\nwrite.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/01510a9e8222f11cce064410f3c2fcf0756c0a08\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/01aad16c2257ab8ff33b152b972c9f2e1af47912\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/098b2c8ee208c77126839047b9e6e1925bb35baa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5b9f1ef293428ea9c0871d96fcec2a87c4445832\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6d53b2a134da77eb7fe65c5c7c7a3c193539a78a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c1f025da8f370a015e412b55cbcc583f91de8316\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dc8fb963742f1a38d284946638f9358bdaa0ddee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…