Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-38407— riscv: cpu_ops_sbi: Use static array for boot_data

EPSS 0.02% · P5

Affected Version Matrix 8

VendorProductVersion RangeStatus
LinuxLinux6b9f29b81b155af023da95f560f738f29722b306< f5fe094f35a37adea40b2fd52c99bb1333be9b07affected
6b9f29b81b155af023da95f560f738f29722b306< 02c725cd55eb5052b88eeaa3f60a391ef4dcaec5affected
6b9f29b81b155af023da95f560f738f29722b306< 2b29be967ae456fc09c320d91d52278cf721be1eaffected
6.8affected
< 6.8unaffected
6.12.37≤ 6.12.*unaffected
6.15.6≤ 6.15.*unaffected
6.16≤ *unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-38407

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
riscv: cpu_ops_sbi: Use static array for boot_data
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: riscv: cpu_ops_sbi: Use static array for boot_data Since commit 6b9f29b81b15 ("riscv: Enable pcpu page first chunk allocator"), if NUMA is enabled, the page percpu allocator may be used on very sparse configurations, or when requested on boot with percpu_alloc=page. In that case, percpu data gets put in the vmalloc area. However, sbi_hsm_hart_start() needs the physical address of a sbi_hart_boot_data, and simply assumes that __pa() would work. This causes the just started hart to immediately access an invalid address and hang. Fortunately, struct sbi_hart_boot_data is not too large, so we can simply allocate an array for boot_data statically, putting it in the kernel image. This fixes NUMA=y SMP boot on Sophgo SG2042. To reproduce on QEMU: Set CONFIG_NUMA=y and CONFIG_DEBUG_VIRTUAL=y, then run with: qemu-system-riscv64 -M virt -smp 2 -nographic \ -kernel arch/riscv/boot/Image \ -append "percpu_alloc=page" Kernel output: [ 0.000000] Booting Linux on hartid 0 [ 0.000000] Linux version 6.16.0-rc1 (dram@sakuya) (riscv64-unknown-linux-gnu-gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #11 SMP Tue Jun 24 14:56:22 CST 2025 ... [ 0.000000] percpu: 28 4K pages/cpu s85784 r8192 d20712 ... [ 0.083192] smp: Bringing up secondary CPUs ... [ 0.086722] ------------[ cut here ]------------ [ 0.086849] virt_to_phys used for non-linear address: (____ptrval____) (0xff2000000001d080) [ 0.088001] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:14 __virt_to_phys+0xae/0xe8 [ 0.088376] Modules linked in: [ 0.088656] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc1 #11 NONE [ 0.088833] Hardware name: riscv-virtio,qemu (DT) [ 0.088948] epc : __virt_to_phys+0xae/0xe8 [ 0.089001] ra : __virt_to_phys+0xae/0xe8 [ 0.089037] epc : ffffffff80021eaa ra : ffffffff80021eaa sp : ff2000000004bbc0 [ 0.089057] gp : ffffffff817f49c0 tp : ff60000001d60000 t0 : 5f6f745f74726976 [ 0.089076] t1 : 0000000000000076 t2 : 705f6f745f747269 s0 : ff2000000004bbe0 [ 0.089095] s1 : ff2000000001d080 a0 : 0000000000000000 a1 : 0000000000000000 [ 0.089113] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.089131] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000 [ 0.089155] s2 : ffffffff8130dc00 s3 : 0000000000000001 s4 : 0000000000000001 [ 0.089174] s5 : ffffffff8185eff8 s6 : ff2000007f1eb000 s7 : ffffffff8002a2ec [ 0.089193] s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000000 [ 0.089211] s11: 0000000000000000 t3 : ffffffff8180a9f7 t4 : ffffffff8180a9f7 [ 0.089960] t5 : ffffffff8180a9f8 t6 : ff2000000004b9d8 [ 0.089984] status: 0000000200000120 badaddr: ffffffff80021eaa cause: 0000000000000003 [ 0.090101] [<ffffffff80021eaa>] __virt_to_phys+0xae/0xe8 [ 0.090228] [<ffffffff8001d796>] sbi_cpu_start+0x6e/0xe8 [ 0.090247] [<ffffffff8001a5da>] __cpu_up+0x1e/0x8c [ 0.090260] [<ffffffff8002a32e>] bringup_cpu+0x42/0x258 [ 0.090277] [<ffffffff8002914c>] cpuhp_invoke_callback+0xe0/0x40c [ 0.090292] [<ffffffff800294e0>] __cpuhp_invoke_callback_range+0x68/0xfc [ 0.090320] [<ffffffff8002a96a>] _cpu_up+0x11a/0x244 [ 0.090334] [<ffffffff8002aae6>] cpu_up+0x52/0x90 [ 0.090384] [<ffffffff80c09350>] bringup_nonboot_cpus+0x78/0x118 [ 0.090411] [<ffffffff80c11060>] smp_init+0x34/0xb8 [ 0.090425] [<ffffffff80c01220>] kernel_init_freeable+0x148/0x2e4 [ 0.090442] [<ffffffff80b83802>] kernel_init+0x1e/0x14c [ 0.090455] [<ffffffff800124ca>] ret_from_fork_kernel+0xe/0xf0 [ 0.090471] [<ffffffff80b8d9c2>] ret_from_fork_kernel_asm+0x16/0x18 [ 0.090560] ---[ end trace 0000000000000000 ]--- [ 1.179875] CPU1: failed to come online [ 1.190324] smp: Brought up 1 node, 1 CPU
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于riscv架构cpu_ops_sbi模块使用动态分配内存导致物理地址无效,可能导致系统挂起。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 6b9f29b81b155af023da95f560f738f29722b306 ~ f5fe094f35a37adea40b2fd52c99bb1333be9b07 -
LinuxLinux 6.8 -

II. Public POCs for CVE-2025-38407

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-38407

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-07-25 · 114 CVEs total

CVE-2025-38426drm/amdgpu: Add basic validation for RAS header
CVE-2025-38440net/mlx5e: Fix race between DIM disable and net_dim()
CVE-2025-38438ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.
CVE-2025-38437ksmbd: fix potential use-after-free in oplock/lease break ack
CVE-2025-38436drm/scheduler: signal scheduled fence when kill job
CVE-2025-38435riscv: vector: Fix context save/restore with xtheadvector
CVE-2025-38434Revert "riscv: Define TASK_SIZE_MAX for __access_ok()"
CVE-2025-38433riscv: fix runtime constant support for nommu kernels
CVE-2025-38432net: netpoll: Initialize UDP checksum field before checksumming
CVE-2025-38431smb: client: fix regression with native SMB symlinks
CVE-2025-38430nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
CVE-2025-38429bus: mhi: ep: Update read pointer only after buffer is written
CVE-2025-38428Input: ims-pcu - check record size in ims_pcu_flash_firmware()
CVE-2025-38427video: screen_info: Relocate framebuffers behind PCI bridges
CVE-2025-38425i2c: tegra: check msg length in SMBUS block read
CVE-2025-38414wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850
CVE-2025-38417ice: fix eswitch code memory leak in reset scenario
CVE-2025-38416NFC: nci: uart: Set tty->disc_data only in success path
CVE-2025-38415Squashfs: check return result of sb_min_blocksize
CVE-2025-38418remoteproc: core: Release rproc->clean_table after rproc_attach() fails

Showing top 20 of 114 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-38407

No comments yet

Leave a comment