CVE-2025-38486

{"id": "CVE-2025-38486", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-28T12:15:30.600", "references": [{"url": "https://git.kernel.org/stable/c/207cea8b72fcbdf4e6db178e54186ed4f1514b3c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/834bce6a715ae9a9c4dce7892454a19adf22b013", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: Revert \"soundwire: qcom: Add set_channel_map api support\"\n\nThis reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.\n\nThis patch broke Dragonboard 845c (sdm845). I see:\n\n Unexpected kernel BRK exception at EL1\n Internal error: BRK handler: 00000000f20003e8 [#1] SMP\n pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]\n lr : snd_soc_dai_set_channel_map+0x34/0x78\n Call trace:\n qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)\n sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]\n snd_soc_link_init+0x28/0x6c\n snd_soc_bind_card+0x5f4/0xb0c\n snd_soc_register_card+0x148/0x1a4\n devm_snd_soc_register_card+0x50/0xb0\n sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]\n platform_probe+0x6c/0xd0\n really_probe+0xc0/0x2a4\n __driver_probe_device+0x7c/0x130\n driver_probe_device+0x40/0x118\n __device_attach_driver+0xc4/0x108\n bus_for_each_drv+0x8c/0xf0\n __device_attach+0xa4/0x198\n device_initial_probe+0x18/0x28\n bus_probe_device+0xb8/0xbc\n deferred_probe_work_func+0xac/0xfc\n process_one_work+0x244/0x658\n worker_thread+0x1b4/0x360\n kthread+0x148/0x228\n ret_from_fork+0x10/0x20\n Kernel panic - not syncing: BRK handler: Fatal exception\n\nDan has also reported following issues with the original patch\nhttps://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/\n\nBug #1:\nThe zeroeth element of ctrl->pconfig[] is supposed to be unused. We\nstart counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128.\n\nBug #2:\nThere are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only\nQCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts\nmemory like Yongqin Liu pointed out.\n\nBug 3:\nLike Jie Gan pointed out, it erases all the tx information with the rx\ninformation."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soundwire: Revertir \"soundwire: qcom: A\u00f1adir compatibilidad con la API set_channel_map\". Esto revierte el commit 7796c97df6b1b2206681a07f3c80f6023a6593d5. Este parche interrumpi\u00f3 la versi\u00f3n Dragonboard 845c (sdm845). Veo: Excepci\u00f3n BRK de kernel inesperada en EL1 Error interno: BRK handler: 00000000f20003e8 [#1] SMP pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] lr : snd_soc_dai_set_channel_map+0x34/0x78 Call trace: qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P) sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845] snd_soc_link_init+0x28/0x6c snd_soc_bind_card+0x5f4/0xb0c snd_soc_register_card+0x148/0x1a4 devm_snd_soc_register_card+0x50/0xb0 sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845] platform_probe+0x6c/0xd0 really_probe+0xc0/0x2a4 __driver_probe_device+0x7c/0x130 driver_probe_device+0x40/0x118 __device_attach_driver+0xc4/0x108 bus_for_each_drv+0x8c/0xf0 __device_attach+0xa4/0x198 device_initial_probe+0x18/0x28 bus_probe_device+0xb8/0xbc deferred_probe_work_func+0xac/0xfc process_one_work+0x244/0x658 worker_thread+0x1b4/0x360 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Kernel panic - not syncing: BRK handler: Fatal exception Dan has also reported following issues with the original patch https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/ Bug #1: se supone que el elemento cero de ctrl->pconfig[] no se utiliza. Empezamos a contar desde 1. Sin embargo, este c\u00f3digo establece ctrl->pconfig[0].ch_mask = 128. Error n.\u00b0 2: Hay elementos SLIM_MAX_TX_PORTS (16) en la matriz tx_ch[], pero solo QCOM_SDW_MAX_PORTS + 1 (15) en la matriz ctrl->pconfig[], por lo que corrompe la memoria, como se\u00f1al\u00f3 Yongqin Liu. Error 3: Como se\u00f1al\u00f3 Jie Gan, borra toda la informaci\u00f3n de la transmisi\u00f3n junto con la de la recepci\u00f3n."}], "lastModified": "2025-11-19T17:45:46.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7AAE4EC0-78FF-4244-B25E-7B6A937DA2D5", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0517869-312D-4429-80C2-561086E1421C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85421F4E-C863-4ABF-B4B4-E887CC2F7F92"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3827F0D4-5FEE-4181-B267-5A45E7CA11FC"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}