CVE-2025-37911

{"id": "CVE-2025-37911", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-05-20T16:15:27.610", "references": [{"url": "https://git.kernel.org/stable/c/43292b83424158fa6ec458799f3cb9c54d18c484", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/44807af79efd0d78fa36383dd865ddfe7992c0a6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/44d81a9ebf0cad92512e0ffdf7412bfe20db66ec", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4d69864915a3a052538e4ba76cd6fd77cfc64ebe", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/69b10dd23ab826d0c7f2d9ab311842251978d0c1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6b87bd94f34370bbf1dfa59352bed8efab5bf419", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix out-of-bound memcpy() during ethtool -w\n\nWhen retrieving the FW coredump using ethtool, it can sometimes cause\nmemory corruption:\n\nBUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en]\nCorrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45):\n__bnxt_get_coredump+0x3ef/0x670 [bnxt_en]\nethtool_get_dump_data+0xdc/0x1a0\n__dev_ethtool+0xa1e/0x1af0\ndev_ethtool+0xa8/0x170\ndev_ioctl+0x1b5/0x580\nsock_do_ioctl+0xab/0xf0\nsock_ioctl+0x1ce/0x2e0\n__x64_sys_ioctl+0x87/0xc0\ndo_syscall_64+0x5c/0xf0\nentry_SYSCALL_64_after_hwframe+0x78/0x80\n\n...\n\nThis happens when copying the coredump segment list in\nbnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command.\nThe info->dest_buf buffer is allocated based on the number of coredump\nsegments returned by the FW. The segment list is then DMA'ed by\nthe FW and the length of the DMA is returned by FW. The driver then\ncopies this DMA'ed segment list to info->dest_buf.\n\nIn some cases, this DMA length may exceed the info->dest_buf length\nand cause the above BUG condition. Fix it by capping the copy\nlength to not exceed the length of info->dest_buf. The extra\nDMA data contains no useful information.\n\nThis code path is shared for the HWRM_DBG_COREDUMP_LIST and the\nHWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different\nfor these 2 FW commands. To simplify the logic, we need to move\nthe line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE\nup, so that the new check to cap the copy length will work for both\ncommands."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bnxt_en: Se corrige memcpy() fuera de los l\u00edmite durante ethtool -w Al recuperar el volcado de n\u00facleo de FW con ethtool, a veces puede causar corrupci\u00f3n de memoria: ERROR: KFENCE: corrupci\u00f3n de memoria en __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Memoria corrupta en 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (en kfence-#45): __bnxt_get_coredump+0x3ef/0x670 [bnxt_es] ethtool_get_dump_data+0xdc/0x1a0 __dev_ethtool+0xa1e/0x1af0 dev_ethtool+0xa8/0x170 dev_ioctl+0x1b5/0x580 sock_do_ioctl+0xab/0xf0 sock_ioctl+0x1ce/0x2e0 __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x78/0x80 ... Esto sucede al copiar la lista de segmentos del volcado de n\u00facleo en bnxt_hwrm_dbg_dma_data() con el comando de firmware HWRM_DBG_COREDUMP_LIST. El b\u00fafer info->dest_buf se asigna seg\u00fan la cantidad de segmentos de volcado de n\u00facleo devueltos por el firmware. El firmware procesa la lista de segmentos mediante DMA y devuelve su longitud. El controlador copia esta lista de segmentos procesada mediante DMA en info->dest_buf. En algunos casos, esta longitud de DMA puede superar la longitud de info->dest_buf y causar el error mencionado. Para solucionarlo, limite la longitud de la copia para que no supere la longitud de info->dest_buf. Los datos DMA adicionales no contienen informaci\u00f3n \u00fatil. Esta ruta de c\u00f3digo es compartida por los comandos de firmware HWRM_DBG_COREDUMP_LIST y HWRM_DBG_COREDUMP_RETRIEVE. El almacenamiento en b\u00fafer es diferente para estos dos comandos de firmware. Para simplificar la l\u00f3gica, necesitamos mover la l\u00ednea para ajustar la longitud del b\u00fafer para HWRM_DBG_COREDUMP_RETRIEVE hacia arriba, de modo que la nueva verificaci\u00f3n para limitar la longitud de la copia funcione para ambos comandos."}], "lastModified": "2025-11-17T14:50:40.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8BA967D-44E8-4797-9C66-4A688373DA1C", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.95"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1F70F25-EF24-41F5-84A3-EE6BF8BD9843", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCF2B8EB-AD17-4664-8C65-CBB793FE89DB", "versionEndExcluding": "5.15.182", "versionStartIncluding": "5.5.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6266F82-46B4-4D38-AC4A-54C92A1DFAB2", "versionEndExcluding": "6.1.138", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BE1DB09-2D62-4C63-AF19-947300669741", "versionEndExcluding": "6.6.90", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5082CE19-0F3D-4521-AB3E-810D8255F500", "versionEndExcluding": "6.12.28", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19E5095E-5950-43EA-8E78-FC860855293F", "versionEndExcluding": "6.14.6", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE98F46A-F7D9-4609-B6A0-882E7F0D378C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C58602A-1D3D-4A07-AB88-AB5B403D3E8C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54191273-DBF7-4AF6-8039-36DFDEBF4529"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A986E40-065E-4807-B171-802B9460E47E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "911090B3-B2FF-4DD4-A4A4-1BEA41209886"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3444D854-CE07-4D25-827A-ECF7BB58EA2D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C9D071F-B28E-46EC-AC61-22B913390211"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13FC0DDE-E513-465E-9E81-515702D49B74"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C7B5B0E-4EEB-48F5-B4CF-0935A7633845"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}