CVE-2025-38445
md/raid1: Fix stack memory use after return in raid1_reshape
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
md/raid1: Fix stack memory use after return in raid1_reshape
In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init(&newpool, ...); conf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { alloc_r1bio() { mempool_alloc() { // if pool->alloc fails remove_element() { --pool->curr_nr; } } } } mempool_free() { if (pool->curr_nr < pool->min_nr) { // pool->wait.head is a stack address // wake_up() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } } Fix: reinit conf->r1bio_pool.wait after assigning newpool.
Reserved 2025-04-16 | Published 2025-07-25 | Updated 2025-07-25 | Assigner Linuxgit.kernel.org/...c/d8a6853d00fbaa810765c8ed2f452a5832273968
git.kernel.org/...c/12b00ec99624f8da8c325f2dd6e807df26df0025
git.kernel.org/...c/48da050b4f54ed639b66278d0ae6f4107b2c4e2d
git.kernel.org/...c/5f35e48b76655e45522df338876dfef88dafcc71
git.kernel.org/...c/df5894014a92ff0196dbc212a7764e97366fd2b7
git.kernel.org/...c/776e6186dc9ecbdb8a1b706e989166c8a99bbf64
git.kernel.org/...c/61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb
git.kernel.org/...c/d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98
Support options
