ghsa-4wjr-gmwc-pw8f
Vulnerability from github
Published
2025-10-28 12:30
Modified
2025-10-28 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()

When platform firmware supplies error information to the OS, e.g., via the ACPI APEI GHES mechanism, it may identify an error source device that doesn't advertise an AER Capability and therefore dev->aer_info, which contains AER stats and ratelimiting data, is NULL.

pci_dev_aer_stats_incr() already checks dev->aer_info for NULL, but aer_ratelimit() did not, leading to NULL pointer dereferences like this one from the URL below:

{1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 0 {1}[Hardware Error]: event severity: corrected {1}[Hardware Error]: device_id: 0000:00:00.0 {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2020 {1}[Hardware Error]: aer_cor_status: 0x00001000, aer_cor_mask: 0x00002000 BUG: kernel NULL pointer dereference, address: 0000000000000264 RIP: 0010:___ratelimit+0xc/0x1b0 pci_print_aer+0x141/0x360 aer_recover_work_func+0xb5/0x130

[8086:2020] is an Intel "Sky Lake-E DMI3 Registers" device that claims to be a Root Port but does not advertise an AER Capability.

Add a NULL check in aer_ratelimit() to avoid the NULL pointer dereference. Note that this also prevents ratelimiting these events from GHES.

[bhelgaas: add crash details to commit log]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40034"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-28T12:15:37Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/AER: Avoid NULL pointer dereference in aer_ratelimit()\n\nWhen platform firmware supplies error information to the OS, e.g., via the\nACPI APEI GHES mechanism, it may identify an error source device that\ndoesn\u0027t advertise an AER Capability and therefore dev-\u003eaer_info, which\ncontains AER stats and ratelimiting data, is NULL.\n\npci_dev_aer_stats_incr() already checks dev-\u003eaer_info for NULL, but\naer_ratelimit() did not, leading to NULL pointer dereferences like this one\nfrom the URL below:\n\n  {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 0\n  {1}[Hardware Error]: event severity: corrected\n  {1}[Hardware Error]:   device_id: 0000:00:00.0\n  {1}[Hardware Error]:   vendor_id: 0x8086, device_id: 0x2020\n  {1}[Hardware Error]:   aer_cor_status: 0x00001000, aer_cor_mask: 0x00002000\n  BUG: kernel NULL pointer dereference, address: 0000000000000264\n  RIP: 0010:___ratelimit+0xc/0x1b0\n  pci_print_aer+0x141/0x360\n  aer_recover_work_func+0xb5/0x130\n\n[8086:2020] is an Intel \"Sky Lake-E DMI3 Registers\" device that claims to\nbe a Root Port but does not advertise an AER Capability.\n\nAdd a NULL check in aer_ratelimit() to avoid the NULL pointer dereference.\nNote that this also prevents ratelimiting these events from GHES.\n\n[bhelgaas: add crash details to commit log]",
  "id": "GHSA-4wjr-gmwc-pw8f",
  "modified": "2025-10-28T12:30:16Z",
  "published": "2025-10-28T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40034"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41683624cbff0a26bb7e0627f4a7e1b51a8779a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/deb2f228388ff3a9d0623e3b59a053e9235c341d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.