2365287 – (CVE-2025-37846) CVE-2025-37846 kernel: arm64: mops: Do not dereference src reg for a set operation

Bug 2365287 (CVE-2025-37846) - CVE-2025-37846 kernel: arm64: mops: Do not dereference src reg for a set operation

Summary: CVE-2025-37846 kernel: arm64: mops: Do not dereference src reg for a set oper...

Keywords:
Status:	NEW
Alias:	CVE-2025-37846
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-09 07:03 UTC by OSIDB Bzimport
Modified:	2025-05-09 07:47 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-09 07:03:25 UTC

In the Linux kernel, the following vulnerability has been resolved:

arm64: mops: Do not dereference src reg for a set operation

The source register is not used for SET* and reading it can result in
a UBSAN out-of-bounds array access error, specifically when the MOPS
exception is taken from a SET* sequence with XZR (reg 31) as the
source. Architecturally this is the only case where a src/dst/size
field in the ESR can be reported as 31.

Prior to 2de451a329cf662b the code in do_el0_mops() was benign as the
use of pt_regs_read_reg() prevented the out-of-bounds access.

Comment 1 Michal Findra 2025-05-09 07:44:10 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050917-CVE-2025-37846-9afa@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.