Bug 2375305 (CVE-2025-38086) - CVE-2025-38086 kernel: net: ch9200: fix uninitialised access during mii_nway_restart
Summary: CVE-2025-38086 kernel: net: ch9200: fix uninitialised access during mii_nway_...
Keywords:
Status: NEW
Alias: CVE-2025-38086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-28 08:01 UTC by OSIDB Bzimport
Modified: 2025-06-30 02:51 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-28 08:01:16 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: ch9200: fix uninitialised access during mii_nway_restart

In mii_nway_restart() the code attempts to call
mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()
utilises a local buffer called "buff", which is initialised
with control_read(). However "buff" is conditionally
initialised inside control_read():

        if (err == size) {
                memcpy(data, buf, size);
        }

If the condition of "err == size" is not met, then
"buff" remains uninitialised. Once this happens the
uninitialised "buff" is accessed and returned during
ch9200_mdio_read():

        return (buff[0] | buff[1] << 8);

The problem stems from the fact that ch9200_mdio_read()
ignores the return value of control_read(), leading to
uinit-access of "buff".

To fix this we should check the return value of
control_read() and return early on error.
Comment 1 Avinash Hanwate 2025-06-30 02:41:34 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025062801-CVE-2025-38086-783b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.