Bug 2397574 (CVE-2025-39887) - CVE-2025-39887 kernel: tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()
Summary: CVE-2025-39887 kernel: tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()
Keywords:
Status: NEW
Alias: CVE-2025-39887
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-23 07:02 UTC by OSIDB Bzimport
Modified: 2025-09-23 17:07 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-23 07:02:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()

A crash was observed with the following output:

BUG: kernel NULL pointer dereference, address: 0000000000000010
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary)
RIP: 0010:bitmap_parselist+0x53/0x3e0
Call Trace:
 <TASK>
 osnoise_cpus_write+0x7a/0x190
 vfs_write+0xf8/0x410
 ? do_sys_openat2+0x88/0xd0
 ksys_write+0x60/0xd0
 do_syscall_64+0xa4/0x260
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>

This issue can be reproduced by below code:

fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY);
write(fd, "0-2", 0);

When user pass 'count=0' to osnoise_cpus_write(), kmalloc() will return
ZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which
trigger the null pointer dereference. Add check for the parameter 'count'.
Comment 1 Jon Moroney 2025-09-23 17:05:14 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025092302-CVE-2025-39887-12f0@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.