2367526 – (CVE-2025-37938) CVE-2025-37938 kernel: tracing: Verify event formats that have "%*p.."

Bug 2367526 (CVE-2025-37938) - CVE-2025-37938 kernel: tracing: Verify event formats that have "%*p.."

Summary: CVE-2025-37938 kernel: tracing: Verify event formats that have "%*p.."

Keywords:
Status:	NEW
Alias:	CVE-2025-37938
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-20 16:02 UTC by OSIDB Bzimport
Modified:	2025-05-20 22:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-20 16:02:24 UTC

In the Linux kernel, the following vulnerability has been resolved:

tracing: Verify event formats that have "%*p.."

The trace event verifier checks the formats of trace events to make sure
that they do not point at memory that is not in the trace event itself or
in data that will never be freed. If an event references data that was
allocated when the event triggered and that same data is freed before the
event is read, then the kernel can crash by reading freed memory.

The verifier runs at boot up (or module load) and scans the print formats
of the events and checks their arguments to make sure that dereferenced
pointers are safe. If the format uses "%*p.." the verifier will ignore it,
and that could be dangerous. Cover this case as well.

Also add to the sample code a use case of "%*pbl".

Comment 1 Jon Moroney 2025-05-20 21:54:19 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025052047-CVE-2025-37938-30a4@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.