CVE-2025-38445

Summary

In the Linux kernel, the following vulnerability has been resolved:

md/raid1: Fix stack memory use after return in raid1_reshape

In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic.

Example access path:

raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init(&newpool, …); conf->r1bio_pool = newpool; }

raid1_read_request() or raid1_write_request() { alloc_r1bio() { mempool_alloc() { // if pool->alloc fails remove_element() { –pool->curr_nr; } } } }

mempool_free() { if (pool->curr_nr < pool->min_nr) { // pool->wait.head is a stack address // wake_up() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } }

Fix: reinit conf->r1bio_pool.wait after assigning newpool.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxafeee514ce7f4cab605beedd03be71ebaf0c5fc8 < d8a6853d00fbaa810765c8ed2f452a5832273968affected
LinuxLinuxafeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 12b00ec99624f8da8c325f2dd6e807df26df0025affected
LinuxLinuxafeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 48da050b4f54ed639b66278d0ae6f4107b2c4e2daffected
LinuxLinuxafeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 5f35e48b76655e45522df338876dfef88dafcc71affected
LinuxLinuxafeee514ce7f4cab605beedd03be71ebaf0c5fc8 < df5894014a92ff0196dbc212a7764e97366fd2b7affected
LinuxLinuxafeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 776e6186dc9ecbdb8a1b706e989166c8a99bbf64affected
LinuxLinuxafeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdbaffected
LinuxLinuxafeee514ce7f4cab605beedd03be71ebaf0c5fc8 < d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98affected
LinuxLinux4.18affected
LinuxLinux0 < 4.18unaffected
LinuxLinux5.4.296 <= 5.4.*unaffected
LinuxLinux5.10.240 <= 5.10.*unaffected
LinuxLinux5.15.189 <= 5.15.*unaffected
LinuxLinux6.1.146 <= 6.1.*unaffected
LinuxLinux6.6.99 <= 6.6.*unaffected
LinuxLinux6.12.39 <= 6.12.*unaffected
LinuxLinux6.15.7 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References