{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38339", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.005Z", "datePublished": "2025-07-10T08:15:09.646Z", "dateUpdated": "2025-07-10T08:15:09.646Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-07-10T08:15:09.646Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/bpf: fix JIT code size calculation of bpf trampoline\n\narch_bpf_trampoline_size() provides JIT size of the BPF trampoline\nbefore the buffer for JIT'ing it is allocated. The total number of\ninstructions emitted for BPF trampoline JIT code depends on where\nthe final image is located. So, the size arrived at with the dummy\npass in arch_bpf_trampoline_size() can vary from the actual size\nneeded in arch_prepare_bpf_trampoline(). When the instructions\naccounted in arch_bpf_trampoline_size() is less than the number of\ninstructions emitted during the actual JIT compile of the trampoline,\nthe below warning is produced:\n\n WARNING: CPU: 8 PID: 204190 at arch/powerpc/net/bpf_jit_comp.c:981 __arch_prepare_bpf_trampoline.isra.0+0xd2c/0xdcc\n\nwhich is:\n\n /* Make sure the trampoline generation logic doesn't overflow */\n if (image && WARN_ON_ONCE(&image[ctx->idx] >\n \t\t\t(u32 *)rw_image_end - BPF_INSN_SAFETY)) {\n\nSo, during the dummy pass, instead of providing some arbitrary image\nlocation, account for maximum possible instructions if and when there\nis a dependency with image location for JIT'ing."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/powerpc/net/bpf_jit.h", "arch/powerpc/net/bpf_jit_comp.c", "arch/powerpc/net/bpf_jit_comp32.c", "arch/powerpc/net/bpf_jit_comp64.c"], "versions": [{"version": "d243b62b7bd3d5314382d3b54e4992226245e936", "lessThan": "7833deb95e05bec146414b3a2feb24f025ca27c0", "status": "affected", "versionType": "git"}, {"version": "d243b62b7bd3d5314382d3b54e4992226245e936", "lessThan": "59ba025948be2a92e8bc9ae1cbdaf197660bd508", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/powerpc/net/bpf_jit.h", "arch/powerpc/net/bpf_jit_comp.c", "arch/powerpc/net/bpf_jit_comp32.c", "arch/powerpc/net/bpf_jit_comp64.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.4", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.15.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7833deb95e05bec146414b3a2feb24f025ca27c0"}, {"url": "https://git.kernel.org/stable/c/59ba025948be2a92e8bc9ae1cbdaf197660bd508"}], "title": "powerpc/bpf: fix JIT code size calculation of bpf trampoline", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/bpf: fix JIT code size calculation of bpf trampoline\n\narch_bpf_trampoline_size() provides JIT size of the BPF trampoline\nbefore the buffer for JIT'ing it is allocated. The total number of\ninstructions emitted for BPF trampoline JIT code depends on where\nthe final image is located. So, the size arrived at with the dummy\npass in arch_bpf_trampoline_size() can vary from the actual size\nneeded in arch_prepare_bpf_trampoline(). When the instructions\naccounted in arch_bpf_trampoline_size() is less than the number of\ninstructions emitted during the actual JIT compile of the trampoline,\nthe below warning is produced:\n\n WARNING: CPU: 8 PID: 204190 at arch/powerpc/net/bpf_jit_comp.c:981 __arch_prepare_bpf_trampoline.isra.0+0xd2c/0xdcc\n\nwhich is:\n\n /* Make sure the trampoline generation logic doesn't overflow */\n if (image && WARN_ON_ONCE(&image[ctx->idx] >\n \t\t\t(u32 *)rw_image_end - BPF_INSN_SAFETY)) {\n\nSo, during the dummy pass, instead of providing some arbitrary image\nlocation, account for maximum possible instructions if and when there\nis a dependency with image location for JIT'ing."}], "id": "CVE-2025-38339", "lastModified": "2025-07-10T13:17:30.017", "metrics": {}, "published": "2025-07-10T09:15:28.633", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/59ba025948be2a92e8bc9ae1cbdaf197660bd508"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7833deb95e05bec146414b3a2feb24f025ca27c0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}