{"uuid": "c21b3cb8-321f-4a1c-ac17-1a59fd1d95b2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-38066", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/18715", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-38066\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: prevent BUG_ON by blocking retries on failed device resumes\n\nA cache device failing to resume due to mapping errors should not be\nretried, as the failure leaves a partially initialized policy object.\nRepeating the resume operation risks triggering BUG_ON when reloading\ncache mappings into the incomplete policy object.\n\nReproduce steps:\n\n1. create a cache metadata consisting of 512 or more cache blocks,\n   with some mappings stored in the first array block of the mapping\n   array. Here we use cache_restore v1.0 to build the metadata.\n\ncat <> cmeta.xml\n\n  \n    \n  \n\nEOF\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ncache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2\ndmsetup remove cmeta\n\n2. wipe the second array block of the mapping array to simulate\n   data degradations.\n\nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock\n\n3. try bringing up the cache device. The resume is expected to fail\n   due to the broken array block.\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndmsetup create cache --notable\ndmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup resume cache\n\n4. try resuming the cache again. An unexpected BUG_ON is triggered\n   while loading cache mappings.\n\ndmsetup resume cache\n\nKernel logs:\n\n(snip)\n------------[ cut here ]------------\nkernel BUG at drivers/md/dm-cache-policy-smq.c:752!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3\nRIP: 0010:smq_load_mapping+0x3e5/0x570\n\nFix by disallowing resume operations for devices that failed the\ninitial attempt.\n\ud83d\udccf Published: 2025-06-18T09:33:44.877Z\n\ud83d\udccf Modified: 2025-06-18T09:33:44.877Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/c614584c2a66b538f469089ac089457a34590c14\n2. https://git.kernel.org/stable/c/c5356a5e80442131e2714d0d26bb110590e4e568\n3. https://git.kernel.org/stable/c/025c8f477625eb39006ded650e7d027bcfb20e79\n4. https://git.kernel.org/stable/c/00586b78eeb7c626a14ca13453a1631f88a7cf36\n5. https://git.kernel.org/stable/c/3986ef4a9b6a0d9c28bc325d8713beba5e67586f\n6. https://git.kernel.org/stable/c/cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0\n7. https://git.kernel.org/stable/c/f3128e3074e8af565cc6a66fe3384a56df87f803\n8. https://git.kernel.org/stable/c/5da692e2262b8f81993baa9592f57d12c2703dea", "creation_timestamp": "2025-06-18T10:40:17.000000Z"}