logo_clicknbuy.png

CVE-2025-38261 – Linux RISC-V SR_SUM Status Vulnerability

The following table lists the changes that have been made to the
CVE-2025-38261 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jul. 09, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    riscv: save the SR_SUM status over switches

    When threads/tasks are switched we need to ensure the old execution’s
    SR_SUM state is saved and the new thread has the old SR_SUM state
    restored.

    The issue was seen under heavy load especially with the syz-stress tool
    running, with crashes as follows in schedule_tail:

    Unable to handle kernel access to user memory without uaccess routines
    at virtual address 000000002749f0d0
    Oops [#1]
    Modules linked in:
    CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted
    5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
    Hardware name: riscv-virtio,qemu (DT)
    epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
    ra : task_pid_vnr include/linux/sched.h:1421 [inline]
    ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264
    epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0
    gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000
    t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0
    s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003
    a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00
    a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba
    s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0
    s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850
    s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8
    s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2
    t5 : ffffffc4043cafba t6 : 0000000000040000
    status: 0000000000000120 badaddr: 000000002749f0d0 cause:
    000000000000000f
    Call Trace:
    [] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
    [] ret_from_exception+0x0/0x14
    Dumping ftrace buffer:
    (ftrace buffer empty)
    —[ end trace b5f8f9231dc87dda ]—

    The issue comes from the put_user() in schedule_tail
    (kernel/sched/core.c) doing the following:

    asmlinkage __visible void schedule_tail(struct task_struct *prev)
    {

    if (current->set_child_tid)
    put_user(task_pid_vnr(current), current->set_child_tid);

    }

    the put_user() macro causes the code sequence to come out as follows:

    1: __enable_user_access()
    2: reg = task_pid_vnr(current);
    3: *current->set_child_tid = reg;
    4: __disable_user_access()

    The problem is that we may have a sleeping function as argument which
    could clear SR_SUM causing the panic above. This was fixed by
    evaluating the argument of the put_user() macro outside the user-enabled
    section in commit 285a76bb2cf5 (“riscv: evaluate put_user() arg before
    enabling user access”)”

    In order for riscv to take advantage of unsafe_get/put_XXX() macros and
    to avoid the same issue we had with put_user() and sleeping functions we
    must ensure code flow can go through switch_to() from within a region of
    code with SR_SUM enabled and come back with SR_SUM still enabled. This
    patch addresses the problem allowing future work to enable full use of
    unsafe_get/put_XXX() macros without needing to take a CSR bit flip cost
    on every access. Make switch_to() save and restore SR_SUM.
    Added Reference https://git.kernel.org/stable/c/69ea599a8dab93a620c92c255be4239a06290a77
    Added Reference https://git.kernel.org/stable/c/788aa64c01f1262310b4c1fb827a36df170d86ea
Share the Post:

Related Posts