CVE-2025-38359

{"id": "CVE-2025-38359", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-25T13:15:24.687", "references": [{"url": "https://git.kernel.org/stable/c/11709abccf93b08adde95ef313c300b0d4bc28f1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d2e317dfd2d1fe416c77315d17c5d57dbe374915", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Fix in_atomic() handling in do_secure_storage_access()\n\nKernel user spaces accesses to not exported pages in atomic context\nincorrectly try to resolve the page fault.\nWith debug options enabled call traces like this can be seen:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39\npreempt_count: 1, expected: 0\nRCU nest depth: 0, expected: 0\nINFO: lockdep is turned off.\nPreemption disabled at:\n[<00000383ea47cfa2>] copy_page_from_iter_atomic+0xa2/0x8a0\nCPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39\nTainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPT\nTainted: [W]=WARN\nHardware name: IBM 3931 A01 703 (LPAR)\nCall Trace:\n [<00000383e990d282>] dump_stack_lvl+0xa2/0xe8\n [<00000383e99bf152>] __might_resched+0x292/0x2d0\n [<00000383eaa7c374>] down_read+0x34/0x2d0\n [<00000383e99432f8>] do_secure_storage_access+0x108/0x360\n [<00000383eaa724b0>] __do_pgm_check+0x130/0x220\n [<00000383eaa842e4>] pgm_check_handler+0x114/0x160\n [<00000383ea47d028>] copy_page_from_iter_atomic+0x128/0x8a0\n([<00000383ea47d016>] copy_page_from_iter_atomic+0x116/0x8a0)\n [<00000383e9c45eae>] generic_perform_write+0x16e/0x310\n [<00000383e9eb87f4>] ext4_buffered_write_iter+0x84/0x160\n [<00000383e9da0de4>] vfs_write+0x1c4/0x460\n [<00000383e9da123c>] ksys_write+0x7c/0x100\n [<00000383eaa7284e>] __do_syscall+0x15e/0x280\n [<00000383eaa8417e>] system_call+0x6e/0x90\nINFO: lockdep is turned off.\n\nIt is not allowed to take the mmap_lock while in atomic context. Therefore\nhandle such a secure storage access fault as if the accessed page is not\nmapped: the uaccess function will return -EFAULT, and the caller has to\ndeal with this. Usually this means that the access is retried in process\ncontext, which allows to resolve the page fault (or in this case export the\npage)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: s390/mm: Se corrige la gesti\u00f3n de in_atomic() en do_secure_storage_access(). Los accesos a espacios de usuario del kernel a p\u00e1ginas no exportadas en contexto at\u00f3mico intentan resolver incorrectamente el fallo de p\u00e1gina. Con las opciones de depuraci\u00f3n habilitadas, se pueden observar seguimientos de llamadas como este: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39 preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 INFO: lockdep is turned off. Preemption disabled at: [&lt;00000383ea47cfa2&gt;] copy_page_from_iter_atomic+0xa2/0x8a0 CPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39 Tainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPT Tainted: [W]=WARN Hardware name: IBM 3931 A01 703 (LPAR) Call Trace: [&lt;00000383e990d282&gt;] dump_stack_lvl+0xa2/0xe8 [&lt;00000383e99bf152&gt;] __might_resched+0x292/0x2d0 [&lt;00000383eaa7c374&gt;] down_read+0x34/0x2d0 [&lt;00000383e99432f8&gt;] do_secure_storage_access+0x108/0x360 [&lt;00000383eaa724b0&gt;] __do_pgm_check+0x130/0x220 [&lt;00000383eaa842e4&gt;] pgm_check_handler+0x114/0x160 [&lt;00000383ea47d028&gt;] copy_page_from_iter_atomic+0x128/0x8a0 ([&lt;00000383ea47d016&gt;] copy_page_from_iter_atomic+0x116/0x8a0) [&lt;00000383e9c45eae&gt;] generic_perform_write+0x16e/0x310 [&lt;00000383e9eb87f4&gt;] ext4_buffered_write_iter+0x84/0x160 [&lt;00000383e9da0de4&gt;] vfs_write+0x1c4/0x460 [&lt;00000383e9da123c&gt;] ksys_write+0x7c/0x100 [&lt;00000383eaa7284e&gt;] __do_syscall+0x15e/0x280 [&lt;00000383eaa8417e&gt;] system_call+0x6e/0x90 INFO: lockdep is turned off. No se permite usar mmap_lock en contexto at\u00f3mico. Por lo tanto, se gestiona un fallo de acceso al almacenamiento seguro como si la p\u00e1gina accedida no estuviera mapeada: la funci\u00f3n uaccess devolver\u00e1 -EFAULT, y el usuario que realiza la llamada debe gestionarlo. Normalmente, esto significa que se reintenta el acceso en contexto de proceso, lo que permite resolver el fallo de p\u00e1gina (o, en este caso, exportar la p\u00e1gina)."}], "lastModified": "2025-11-18T20:33:01.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B58D73D-F2CA-40B1-A4E0-CAC4B1C67AB2", "versionEndExcluding": "6.15.5"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}