FKIE_CVE-2025-38581

Vulnerability from fkie_nvd - Published: 2025-08-19 17:15 - Updated: 2026-01-09 13:55
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: error_code(0x0002) - not-present page [ 204.980226] PGD 0 P4D 0 [ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI ... [ 204.997852] Call Trace: [ 204.999074] <TASK> [ 205.000297] start_creating+0x9f/0x1c0 [ 205.001533] debugfs_create_dir+0x1f/0x170 [ 205.002769] ? srso_return_thunk+0x5/0x5f [ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] [ 205.005241] ccp5_init+0x8b2/0x960 [ccp] [ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] [ 205.007709] sp_init+0x5f/0x80 [ccp] [ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] [ 205.010165] ? srso_return_thunk+0x5/0x5f [ 205.011376] local_pci_probe+0x4f/0xb0 [ 205.012584] pci_device_probe+0xdb/0x230 [ 205.013810] really_probe+0xed/0x380 [ 205.015024] __driver_probe_device+0x7e/0x160 [ 205.016240] device_driver_attach+0x2f/0x60 [ 205.017457] bind_store+0x7c/0xb0 [ 205.018663] drv_attr_store+0x28/0x40 [ 205.019868] sysfs_kf_write+0x5f/0x70 [ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 [ 205.022267] vfs_write+0x308/0x440 [ 205.023453] ksys_write+0x6d/0xe0 [ 205.024616] __x64_sys_write+0x1e/0x30 [ 205.025778] x64_sys_call+0x16ba/0x2150 [ 205.026942] do_syscall_64+0x56/0x1e0 [ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 205.029276] RIP: 0033:0x7fbc36f10104 [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5 This patch sets ccp_debugfs_dir to NULL after destroying it in ccp5_debugfs_destroy, allowing the directory dentry to be recreated when rebinding the ccp device. Tested on AMD Ryzen 7 1700X.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/181698af38d3f93381229ad89c09b5bd0496661aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/20c0ed8dd65834e6bab464f54cd6ff68659bacb9Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2d4060f05e74dbee884ba723f6afd9282befc3c5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/64ec9a7e7a6398b172ab6feba60e952163a1c3d5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6eadf50c1d894cb34f3237064063207460946040Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9dea08eac4f6d6fbbae59992978252e2edab995dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a25ab6dfa0ce323ec308966988be6b675eb9d3e5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ce63a83925964ab7564bd216bd92b80bc365492ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/db111468531777cac8b4beb6515a88a54b0c4a74Patch
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlThird Party Advisory, Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlThird Party Advisory, Mailing List
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
debian debian_linux 11.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "15F57262-DF93-49F0-A018-FEEEFF6D6963",
              "versionEndExcluding": "5.4.297",
              "versionStartIncluding": "4.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0D21C35-EB8A-488A-BBF9-403E4817E5DD",
              "versionEndExcluding": "5.10.241",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD9E597F-3DDE-4D7E-976C-463D0611F13F",
              "versionEndExcluding": "5.15.190",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3E5B1B93-C244-4B54-B3AB-12C2635A443B",
              "versionEndExcluding": "6.1.148",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD6EDB96-08AC-49D8-A1A9-4D2140C49BC7",
              "versionEndExcluding": "6.6.102",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA7AA5E6-4376-4A85-A021-6ACC5FF801C3",
              "versionEndExcluding": "6.12.42",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5890C690-B295-40C2-9121-FF5F987E5142",
              "versionEndExcluding": "6.15.10",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "58182352-D7DF-4CC9-841E-03C1D852C3FB",
              "versionEndExcluding": "6.16.1",
              "versionStartIncluding": "6.16",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix crash when rebind ccp device for ccp.ko\n\nWhen CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding\nthe ccp device causes the following crash:\n\n$ echo \u00270000:0a:00.2\u0027 \u003e /sys/bus/pci/drivers/ccp/unbind\n$ echo \u00270000:0a:00.2\u0027 \u003e /sys/bus/pci/drivers/ccp/bind\n\n[  204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098\n[  204.978026] #PF: supervisor write access in kernel mode\n[  204.979126] #PF: error_code(0x0002) - not-present page\n[  204.980226] PGD 0 P4D 0\n[  204.981317] Oops: Oops: 0002 [#1] SMP NOPTI\n...\n[  204.997852] Call Trace:\n[  204.999074]  \u003cTASK\u003e\n[  205.000297]  start_creating+0x9f/0x1c0\n[  205.001533]  debugfs_create_dir+0x1f/0x170\n[  205.002769]  ? srso_return_thunk+0x5/0x5f\n[  205.004000]  ccp5_debugfs_setup+0x87/0x170 [ccp]\n[  205.005241]  ccp5_init+0x8b2/0x960 [ccp]\n[  205.006469]  ccp_dev_init+0xd4/0x150 [ccp]\n[  205.007709]  sp_init+0x5f/0x80 [ccp]\n[  205.008942]  sp_pci_probe+0x283/0x2e0 [ccp]\n[  205.010165]  ? srso_return_thunk+0x5/0x5f\n[  205.011376]  local_pci_probe+0x4f/0xb0\n[  205.012584]  pci_device_probe+0xdb/0x230\n[  205.013810]  really_probe+0xed/0x380\n[  205.015024]  __driver_probe_device+0x7e/0x160\n[  205.016240]  device_driver_attach+0x2f/0x60\n[  205.017457]  bind_store+0x7c/0xb0\n[  205.018663]  drv_attr_store+0x28/0x40\n[  205.019868]  sysfs_kf_write+0x5f/0x70\n[  205.021065]  kernfs_fop_write_iter+0x145/0x1d0\n[  205.022267]  vfs_write+0x308/0x440\n[  205.023453]  ksys_write+0x6d/0xe0\n[  205.024616]  __x64_sys_write+0x1e/0x30\n[  205.025778]  x64_sys_call+0x16ba/0x2150\n[  205.026942]  do_syscall_64+0x56/0x1e0\n[  205.028108]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  205.029276] RIP: 0033:0x7fbc36f10104\n[  205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5\n\nThis patch sets ccp_debugfs_dir to NULL after destroying it in\nccp5_debugfs_destroy, allowing the directory dentry to be\nrecreated when rebinding the ccp device.\n\nTested on AMD Ryzen 7 1700X."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: ccp - Se corrige el fallo al revincular el dispositivo ccp para ccp.ko Cuando CONFIG_CRYPTO_DEV_CCP_DEBUGFS est\u00e1 habilitado, revincular el dispositivo ccp provoca el siguiente fallo: $ echo \u00270000:0a:00.2\u0027 \u0026gt; /sys/bus/pci/drivers/ccp/unbind $ echo \u00270000:0a:00.2\u0027 \u0026gt; /sys/bus/pci/drivers/ccp/bind [ 204.976930] ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000098 [ 204.978026] #PF: acceso de escritura del supervisor en modo kernel [ 204.979126] #PF: error_code(0x0002) - p\u00e1gina no presente [ 204.980226] PGD 0 P4D 0 [ 204.981317] Ups: Ups: 0002 [#1] SMP NOPTI ... [ 204.997852] Seguimiento de llamadas: [ 204.999074]  [ 205.000297] start_creating+0x9f/0x1c0 [ 205.001533] debugfs_create_dir+0x1f/0x170 [ 205.002769] ? srso_return_thunk+0x5/0x5f [ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] [ 205.005241] ccp5_init+0x8b2/0x960 [ccp] [ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] [ 205.007709] sp_init+0x5f/0x80 [ccp] [ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] [ 205.010165] ? srso_return_thunk+0x5/0x5f [ 205.011376] local_pci_probe+0x4f/0xb0 [ 205.012584] pci_device_probe+0xdb/0x230 [ 205.013810] really_probe+0xed/0x380 [ 205.015024] __driver_probe_device+0x7e/0x160 [ 205.016240] device_driver_attach+0x2f/0x60 [ 205.017457] bind_store+0x7c/0xb0 [ 205.018663] drv_attr_store+0x28/0x40 [ 205.019868] sysfs_kf_write+0x5f/0x70 [ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 [ 205.022267] vfs_write+0x308/0x440 [ 205.023453] ksys_write+0x6d/0xe0 [ 205.024616] __x64_sys_write+0x1e/0x30 [ 205.025778] x64_sys_call+0x16ba/0x2150 [ 205.026942] do_syscall_64+0x56/0x1e0 [ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 205.029276] RIP: 0033:0x7fbc36f10104 [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 \u0026lt;48\u0026gt; 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5  Este parche establece ccp_debugfs_dir como NULL tras destruirlo en ccp5_debugfs_destroy, lo que permite recrear la entrada del directorio al reenlazar el dispositivo ccp. Probado en AMD Ryzen 7 1700X."
    }
  ],
  "id": "CVE-2025-38581",
  "lastModified": "2026-01-09T13:55:19.593",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-08-19T17:15:35.280",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/181698af38d3f93381229ad89c09b5bd0496661a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/20c0ed8dd65834e6bab464f54cd6ff68659bacb9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/2d4060f05e74dbee884ba723f6afd9282befc3c5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/64ec9a7e7a6398b172ab6feba60e952163a1c3d5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6eadf50c1d894cb34f3237064063207460946040"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9dea08eac4f6d6fbbae59992978252e2edab995d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a25ab6dfa0ce323ec308966988be6b675eb9d3e5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ce63a83925964ab7564bd216bd92b80bc365492e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/db111468531777cac8b4beb6515a88a54b0c4a74"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.