ghsa-wvjq-jmp5-gvcr
Vulnerability from github
Published
2025-09-05 18:31
Modified
2025-09-05 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Fix jump offset calculation in tailcall

The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by

"#define jmp_offset (out_offset - (cur_offset))"

is a negative number, which is wrong. The final generated assembly are as follow.

54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c

Before apply this patch, the follow test case will reveal soft lock issues.

cd tools/testing/selftests/bpf/ ./test_progs --allow=tailcalls/tailcall_bpf2bpf_1

dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38723"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T16:15:42Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Fix jump offset calculation in tailcall\n\nThe extra pass of bpf_int_jit_compile() skips JIT context initialization\nwhich essentially skips offset calculation leaving out_offset = -1, so\nthe jmp_offset in emit_bpf_tail_call is calculated by\n\n\"#define jmp_offset (out_offset - (cur_offset))\"\n\nis a negative number, which is wrong. The final generated assembly are\nas follow.\n\n54:\tbgeu        \t$a2, $t1, -8\t    # 0x0000004c\n58:\taddi.d      \t$a6, $s5, -1\n5c:\tbltz        \t$a6, -16\t    # 0x0000004c\n60:\talsl.d      \t$t2, $a2, $a1, 0x3\n64:\tld.d        \t$t2, $t2, 264\n68:\tbeq         \t$t2, $zero, -28\t    # 0x0000004c\n\nBefore apply this patch, the follow test case will reveal soft lock issues.\n\ncd tools/testing/selftests/bpf/\n./test_progs --allow=tailcalls/tailcall_bpf2bpf_1\n\ndmesg:\nwatchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]",
  "id": "GHSA-wvjq-jmp5-gvcr",
  "modified": "2025-09-05T18:31:17Z",
  "published": "2025-09-05T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38723"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17c010fe45def335fe03a0718935416b04c7f349"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a782fa32e644aa9fbae6c8488f3e61221ac96e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9262e3e04621558e875eb5afb5e726b648cd5949"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f83d469e16bb1f75991ca67c56786fb2aaa42bea"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.