2389486 – (CVE-2025-38586) CVE-2025-38586 kernel: bpf, arm64: Fix fp initialization for exception boundary

Bug 2389486 (CVE-2025-38586) - CVE-2025-38586 kernel: bpf, arm64: Fix fp initialization for exception boundary

Summary: CVE-2025-38586 kernel: bpf, arm64: Fix fp initialization for exception boundary

Keywords:
Status:	NEW
Alias:	CVE-2025-38586
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-19 18:03 UTC by OSIDB Bzimport
Modified:	2025-08-19 23:02 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-19 18:03:30 UTC

In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Fix fp initialization for exception boundary

In the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF
program, find_used_callee_regs() is not called because for a program
acting as exception boundary, all callee saved registers are saved.
find_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP
being used in any of the instructions.

For programs acting as exception boundary, ctx->fp_used remains false
even if frame pointer is used by the program and therefore, FP is not
set-up for such programs in the prologue. This can cause the kernel to
crash due to a pagefault.

Fix it by setting ctx->fp_used = true for exception boundary programs as
fp is always saved in such programs.

Comment 1 Jon Moroney 2025-08-19 22:52:56 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025081915-CVE-2025-38586-789b@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.