CVE-2025-71102
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
scs: fix a wrong parameter in __scs_magic
__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'.
The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage checking function (scs_check_usage) would scan an incorrect memory range. This could lead
Inaccurate stack usage reporting: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg.
Potential kernel crash: If the value of __scs_magic(tsk)is greater than that of __scs_magic(task_scs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because task_struct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by task_scs(tsk) is allocated via vmalloc(which typically returns higher addresses).
However, since this is purely a debugging feature (CONFIG_DEBUG_STACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 < 1727e8bd69103a68963a5613a0ddb6d8d37df5d3 | affected |
| Linux | Linux | 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 < cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c | affected |
| Linux | Linux | 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 < 57ba40b001be27786d0570dd292289df748b306b | affected |
| Linux | Linux | 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 < 062774439d442882b44f5eab8c256ad3423ef284 | affected |
| Linux | Linux | 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 < 9ef28943471a16e4f9646bc3e8e2de148e7d8d7b | affected |
| Linux | Linux | 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 < a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 | affected |
| Linux | Linux | 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 < 08bd4c46d5e63b78e77f2605283874bbe868ab19 | affected |
| Linux | Linux | 5.8 | affected |
| Linux | Linux | 0 < 5.8 | unaffected |
| Linux | Linux | 5.10.248 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.198 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.160 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.120 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.64 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.3 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3
- https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c
- https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b
- https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284
- https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b
- https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751
- https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.