ghsa-7g52-rhh3-6j2h
Vulnerability from github
Published
2025-09-16 15:32
Modified
2025-09-16 15:32
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset

Issuing a reset when the driver is loaded without RDMA support, will results in a crash as it attempts to remove RDMA's non-existent auxbus device: echo 1 > /sys/class/net//device/reset

BUG: kernel NULL pointer dereference, address: 0000000000000008 ... RIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice] ... Call Trace: ice_prepare_for_reset+0x77/0x260 [ice] pci_dev_save_and_disable+0x2c/0x70 pci_reset_function+0x88/0x130 reset_store+0x5a/0xa0 kernfs_fop_write_iter+0x15e/0x210 vfs_write+0x273/0x520 ksys_write+0x6b/0xe0 do_syscall_64+0x79/0x3b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

ice_unplug_aux_dev() checks pf->cdev_info->adev for NULL pointer, but pf->cdev_info will also be NULL, leading to the deref in the trace above.

Introduce a flag to be set when the creation of the auxbus device is successful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev().

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39814"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T13:15:55Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset\n\nIssuing a reset when the driver is loaded without RDMA support, will\nresults in a crash as it attempts to remove RDMA\u0027s non-existent auxbus\ndevice:\necho 1 \u003e /sys/class/net/\u003cif\u003e/device/reset\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n...\nRIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice]\n...\nCall Trace:\n\u003cTASK\u003e\nice_prepare_for_reset+0x77/0x260 [ice]\npci_dev_save_and_disable+0x2c/0x70\npci_reset_function+0x88/0x130\nreset_store+0x5a/0xa0\nkernfs_fop_write_iter+0x15e/0x210\nvfs_write+0x273/0x520\nksys_write+0x6b/0xe0\ndo_syscall_64+0x79/0x3b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nice_unplug_aux_dev() checks pf-\u003ecdev_info-\u003eadev for NULL pointer, but\npf-\u003ecdev_info will also be NULL, leading to the deref in the trace above.\n\nIntroduce a flag to be set when the creation of the auxbus device is\nsuccessful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev().",
  "id": "GHSA-7g52-rhh3-6j2h",
  "modified": "2025-09-16T15:32:35Z",
  "published": "2025-09-16T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39814"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60dfe2434eed13082f26eb7409665dfafb38fa51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db783756a7d7cfaea039411971d0dc0a374e85cb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.