{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38538", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.024Z", "datePublished": "2025-08-16T11:12:30.878Z", "dateUpdated": "2025-08-16T11:12:30.878Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-16T11:12:30.878Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: nbpfaxi: Fix memory corruption in probe()\n\nThe nbpf->chan[] array is allocated earlier in the nbpf_probe() function\nand it has \"num_channels\" elements. These three loops iterate one\nelement farther than they should and corrupt memory.\n\nThe changes to the second loop are more involved. In this case, we're\ncopying data from the irqbuf[] array into the nbpf->chan[] array. If\nthe data in irqbuf[i] is the error IRQ then we skip it, so the iterators\nare not in sync. I added a check to ensure that we don't go beyond the\nend of the irqbuf[] array. I'm pretty sure this can't happen, but it\nseemed harmless to add a check.\n\nOn the other hand, after the loop has ended there is a check to ensure\nthat the \"chan\" iterator is where we expect it to be. In the original\ncode we went one element beyond the end of the array so the iterator\nwasn't in the correct place and it would always return -EINVAL. However,\nnow it will always be in the correct place. I deleted the check since\nwe know the result."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/dma/nbpfaxi.c"], "versions": [{"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894", "lessThan": "f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb", "status": "affected", "versionType": "git"}, {"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894", "lessThan": "4bb016438335ec02b01f96bf1367378c2bfe03e5", "status": "affected", "versionType": "git"}, {"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894", "lessThan": "122160289adf8ebf15060f1cbf6265b55a914948", "status": "affected", "versionType": "git"}, {"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894", "lessThan": "d6bbd67ab5de37a74ac85c83c5a26664b62034dd", "status": "affected", "versionType": "git"}, {"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894", "lessThan": "188c6ba1dd925849c5d94885c8bbdeb0b3dcf510", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/dma/nbpfaxi.c"], "versions": [{"version": "3.17", "status": "affected"}, {"version": "0", "lessThan": "3.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.147", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.100", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.40", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.8", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "6.1.147"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "6.6.100"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "6.12.40"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "6.15.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "6.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb"}, {"url": "https://git.kernel.org/stable/c/4bb016438335ec02b01f96bf1367378c2bfe03e5"}, {"url": "https://git.kernel.org/stable/c/122160289adf8ebf15060f1cbf6265b55a914948"}, {"url": "https://git.kernel.org/stable/c/d6bbd67ab5de37a74ac85c83c5a26664b62034dd"}, {"url": "https://git.kernel.org/stable/c/188c6ba1dd925849c5d94885c8bbdeb0b3dcf510"}], "title": "dmaengine: nbpfaxi: Fix memory corruption in probe()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: nbpfaxi: Fix memory corruption in probe()\n\nThe nbpf->chan[] array is allocated earlier in the nbpf_probe() function\nand it has \"num_channels\" elements. These three loops iterate one\nelement farther than they should and corrupt memory.\n\nThe changes to the second loop are more involved. In this case, we're\ncopying data from the irqbuf[] array into the nbpf->chan[] array. If\nthe data in irqbuf[i] is the error IRQ then we skip it, so the iterators\nare not in sync. I added a check to ensure that we don't go beyond the\nend of the irqbuf[] array. I'm pretty sure this can't happen, but it\nseemed harmless to add a check.\n\nOn the other hand, after the loop has ended there is a check to ensure\nthat the \"chan\" iterator is where we expect it to be. In the original\ncode we went one element beyond the end of the array so the iterator\nwasn't in the correct place and it would always return -EINVAL. However,\nnow it will always be in the correct place. I deleted the check since\nwe know the result."}], "id": "CVE-2025-38538", "lastModified": "2025-08-16T12:15:29.593", "metrics": {}, "published": "2025-08-16T12:15:29.593", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/122160289adf8ebf15060f1cbf6265b55a914948"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/188c6ba1dd925849c5d94885c8bbdeb0b3dcf510"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4bb016438335ec02b01f96bf1367378c2bfe03e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d6bbd67ab5de37a74ac85c83c5a26664b62034dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}