Bug 2376411 (CVE-2025-38183) - CVE-2025-38183 kernel: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()
Summary: CVE-2025-38183 kernel: net: lan743x: fix potential out-of-bounds write in lan...
Keywords:
Status: NEW
Alias: CVE-2025-38183
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-04 14:04 UTC by OSIDB Bzimport
Modified: 2025-07-04 18:18 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-04 14:04:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()

Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value
is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8).
This seems correct and aligns with the PTP interrupt status register
(PTP_INT_STS) specifications.

However, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with
only LAN743X_PTP_N_EXTTS(4) elements, using channel as an index:

    lan743x_ptp_io_event_clock_get(..., u8 channel,...)
    {
        ...
        /* Update Local timestamp */
        extts = &ptp->extts[channel];
        extts->ts.tv_sec = sec;
        ...
    }

To avoid an out-of-bounds write and utilize all the supported GPIO
inputs, set LAN743X_PTP_N_EXTTS to 8.

Detected using the static analysis tool - Svace.
Comment 1 Mauro Matteo Cascella 2025-07-04 18:09:51 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025070411-CVE-2025-38183-1283@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.