CVE-2025-22048

LoongArch: BPF: Don't override subprog's return value

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Don't override subprog's return value The verifier test `calls: div by 0 in subprog` triggers a panic at the
ld.bu instruction. The ld.bu insn is trying to load byte from memory
address returned by the subprog. The subprog actually set the correct
address at the a5 register (dedicated register for BPF return values).
But at commit 73c359d1d356 ("LoongArch: BPF: Sign-extend return values")
we also sign extended a5 to the a0 register (return value in LoongArch).
For function call insn, we later propagate the a0 register back to a5
register. This is right for native calls but wrong for bpf2bpf calls
which expect zero-extended return value in a5 register. So only move a0
to a5 for native calls (i.e. non-BPF_PSEUDO_CALL).

In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Don't override subprog's return value The verifier test `calls: div by 0 in subprog` triggers a panic at the ld.bu instruction. The ld.bu insn is trying to load byte from memory address returned by the subprog. The subprog actually set the correct address at the a5 register (dedicated register for BPF return values). But at commit 73c359d1d356 ("LoongArch: BPF: Sign-extend return values") we also sign extended a5 to the a0 register (return value in LoongArch). For function call insn, we later propagate the a0 register back to a5 register. This is right for native calls but wrong for bpf2bpf calls which expect zero-extended return value in a5 register. So only move a0 to a5 for native calls (i.e. non-BPF_PSEUDO_CALL).

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-04-16 CVE Published
2025-04-16 CVE Updated
2025-04-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/0c8d50501bc13cacecc19caaddc10db372592a39	Vuln. Introduced
https://git.kernel.org/stable/c/d5d83242a1d778ceb6d8b07c6b491cf7483ca112	Vuln. Introduced
https://git.kernel.org/stable/c/73c359d1d356cf10236ccd358bd55edab33e9424	Vuln. Introduced
https://git.kernel.org/stable/c/8382e92f90b601acf6d426121e6f4991502e767d	Vuln. Introduced
https://git.kernel.org/stable/c/3b75f627b73d96787a493e2f1187543ba9c056a4	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/7df2696256a034405d3c5a71b3a4c54725de4404	2025-04-10
https://git.kernel.org/stable/c/223d565d8892481684091cfbaf3466f2b0e289d3	2025-04-10
https://git.kernel.org/stable/c/780628a780b622759d9e5adc76d15432144da1a3	2025-04-10
https://git.kernel.org/stable/c/996e90ab446641553e8e21707b38b9709605e0e0	2025-04-10
https://git.kernel.org/stable/c/60f3caff1492e5b8616b9578c4bedb5c0a88ed14	2025-03-30

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.64 < 6.6.87 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.64 < 6.6.87"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12.2 < 6.12.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12.2 < 6.12.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.13 < 6.13.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.13.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.13 < 6.14.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.14.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.13 < 6.15-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.15-rc1"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.1.120 Search vendor "Linux" for product "Linux Kernel" and version "6.1.120"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.11.11 Search vendor "Linux" for product "Linux Kernel" and version "6.11.11"		en		Affected