CVE-2025-38339

{"id": "CVE-2025-38339", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-10T09:15:28.633", "references": [{"url": "https://git.kernel.org/stable/c/59ba025948be2a92e8bc9ae1cbdaf197660bd508", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7833deb95e05bec146414b3a2feb24f025ca27c0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/bpf: fix JIT code size calculation of bpf trampoline\n\narch_bpf_trampoline_size() provides JIT size of the BPF trampoline\nbefore the buffer for JIT'ing it is allocated. The total number of\ninstructions emitted for BPF trampoline JIT code depends on where\nthe final image is located. So, the size arrived at with the dummy\npass in arch_bpf_trampoline_size() can vary from the actual size\nneeded in arch_prepare_bpf_trampoline(). When the instructions\naccounted in arch_bpf_trampoline_size() is less than the number of\ninstructions emitted during the actual JIT compile of the trampoline,\nthe below warning is produced:\n\n WARNING: CPU: 8 PID: 204190 at arch/powerpc/net/bpf_jit_comp.c:981 __arch_prepare_bpf_trampoline.isra.0+0xd2c/0xdcc\n\nwhich is:\n\n /* Make sure the trampoline generation logic doesn't overflow */\n if (image && WARN_ON_ONCE(&image[ctx->idx] >\n \t\t\t(u32 *)rw_image_end - BPF_INSN_SAFETY)) {\n\nSo, during the dummy pass, instead of providing some arbitrary image\nlocation, account for maximum possible instructions if and when there\nis a dependency with image location for JIT'ing."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/bpf: correcci\u00f3n del c\u00e1lculo del tama\u00f1o del c\u00f3digo JIT del trampol\u00edn BPF. arch_bpf_trampoline_size() proporciona el tama\u00f1o JIT del trampol\u00edn BPF antes de asignar el b\u00fafer para su procesamiento JIT. El n\u00famero total de instrucciones emitidas para el c\u00f3digo JIT del trampol\u00edn BPF depende de la ubicaci\u00f3n de la imagen final. Por lo tanto, el tama\u00f1o obtenido con el paso ficticio en arch_bpf_trampoline_size() puede variar del tama\u00f1o real necesario en arch_prepare_bpf_trampoline(). Cuando las instrucciones contabilizadas en arch_bpf_trampoline_size() son menores que la cantidad de instrucciones emitidas durante la compilaci\u00f3n JIT real del trampol\u00edn, se produce la siguiente advertencia: ADVERTENCIA: CPU: 8 PID: 204190 en arch/powerpc/net/bpf_jit_comp.c:981 __arch_prepare_bpf_trampoline.isra.0+0xd2c/0xdcc que es: /* Aseg\u00farese de que la l\u00f3gica de generaci\u00f3n del trampol\u00edn no se desborde */ if (image && WARN_ON_ONCE(&image[ctx->idx] > (u32 *)rw_image_end - BPF_INSN_SAFETY)) { Entonces, durante el pase ficticio, en lugar de proporcionar una ubicaci\u00f3n de imagen arbitraria, tenga en cuenta la m\u00e1xima cantidad de instrucciones posibles si y cuando exista una dependencia con la ubicaci\u00f3n de la imagen para JIT."}], "lastModified": "2025-11-18T12:52:48.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFD174C5-1AA2-4671-BDDC-1A9FCC753655", "versionEndExcluding": "6.15.4", "versionStartIncluding": "6.13"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}