CVE-2025-38445
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid1: Fix stack memory use after return in raid1_reshape
In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic.
Example access path:
raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init(&newpool, …); conf->r1bio_pool = newpool; }
raid1_read_request() or raid1_write_request() { alloc_r1bio() { mempool_alloc() { // if pool->alloc fails remove_element() { –pool->curr_nr; } } } }
mempool_free() { if (pool->curr_nr < pool->min_nr) { // pool->wait.head is a stack address // wake_up() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } }
Fix: reinit conf->r1bio_pool.wait after assigning newpool.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | afeee514ce7f4cab605beedd03be71ebaf0c5fc8 < d8a6853d00fbaa810765c8ed2f452a5832273968 | affected |
| Linux | Linux | afeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 12b00ec99624f8da8c325f2dd6e807df26df0025 | affected |
| Linux | Linux | afeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 48da050b4f54ed639b66278d0ae6f4107b2c4e2d | affected |
| Linux | Linux | afeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 5f35e48b76655e45522df338876dfef88dafcc71 | affected |
| Linux | Linux | afeee514ce7f4cab605beedd03be71ebaf0c5fc8 < df5894014a92ff0196dbc212a7764e97366fd2b7 | affected |
| Linux | Linux | afeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 776e6186dc9ecbdb8a1b706e989166c8a99bbf64 | affected |
| Linux | Linux | afeee514ce7f4cab605beedd03be71ebaf0c5fc8 < 61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb | affected |
| Linux | Linux | afeee514ce7f4cab605beedd03be71ebaf0c5fc8 < d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98 | affected |
| Linux | Linux | 4.18 | affected |
| Linux | Linux | 0 < 4.18 | unaffected |
| Linux | Linux | 5.4.296 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.240 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.189 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.146 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.99 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.39 <= 6.12.* | unaffected |
| Linux | Linux | 6.15.7 <= 6.15.* | unaffected |
| Linux | Linux | 6.16 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
References
- https://git.kernel.org/stable/c/d8a6853d00fbaa810765c8ed2f452a5832273968
- https://git.kernel.org/stable/c/12b00ec99624f8da8c325f2dd6e807df26df0025
- https://git.kernel.org/stable/c/48da050b4f54ed639b66278d0ae6f4107b2c4e2d
- https://git.kernel.org/stable/c/5f35e48b76655e45522df338876dfef88dafcc71
- https://git.kernel.org/stable/c/df5894014a92ff0196dbc212a7764e97366fd2b7
- https://git.kernel.org/stable/c/776e6186dc9ecbdb8a1b706e989166c8a99bbf64
- https://git.kernel.org/stable/c/61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb
- https://git.kernel.org/stable/c/d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.