{"id":"CVE-2025-38152","summary":"remoteproc: core: Clear table_sz when rproc_shutdown","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Clear table_sz when rproc_shutdown\n\nThere is case as below could trigger kernel dump:\nUse U-Boot to start remote processor(rproc) with resource table\npublished to a fixed address by rproc. After Kernel boots up,\nstop the rproc, load a new firmware which doesn't have resource table\n,and start rproc.\n\nWhen starting rproc with a firmware not have resource table,\n`memcpy(loaded_table, rproc-\u003ecached_table, rproc-\u003etable_sz)` will\ntrigger dump, because rproc-\u003ecache_table is set to NULL during the last\nstop operation, but rproc-\u003etable_sz is still valid.\n\nThis issue is found on i.MX8MP and i.MX9.\n\nDump as below:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n  ESR = 0x0000000096000004\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x04: level 0 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000\n[0000000000000000] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in:\nCPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38\nHardware name: NXP i.MX8MPlus EVK board (DT)\npstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __pi_memcpy_generic+0x110/0x22c\nlr : rproc_start+0x88/0x1e0\nCall trace:\n __pi_memcpy_generic+0x110/0x22c (P)\n rproc_boot+0x198/0x57c\n state_store+0x40/0x104\n dev_attr_store+0x18/0x2c\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x120/0x1cc\n vfs_write+0x240/0x378\n ksys_write+0x70/0x108\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x30/0xcc\n el0t_64_sync_handler+0x10c/0x138\n el0t_64_sync+0x198/0x19c\n\nClear rproc-\u003etable_sz to address the issue.","modified":"2026-03-20T12:42:42.243554Z","published":"2025-04-18T07:01:31.714Z","related":["MGASA-2025-0142","MGASA-2025-0146","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01965-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:02000-1","SUSE-SU-2025:20408-1","SUSE-SU-2025:20413-1","SUSE-SU-2025:20419-1","SUSE-SU-2025:20421-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38152.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/068f6648ff5b0c7adeb6c363fae7fb188aa178fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2df19f5f6f72da6f6ebab7cdb3a3b9f7686bb476"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6e66bca8cd51ebedd5d32426906a38e4a3c69c5f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7c6bb82a6f3da6ab2d3fbea03901482231708b98"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8e0fd2a3b9852ac3cf540edb06ccc0153b38b5af"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e6015ca453b82ec54aec9682dcc38773948fcc48"},{"type":"WEB","url":"https://git.kernel.org/stable/c/efdde3d73ab25cef4ff2d06783b0aad8b093c0e4"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38152.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38152"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9dc9507f1880fb6225e3e058cb5219b152cbf198"},{"fixed":"6e66bca8cd51ebedd5d32426906a38e4a3c69c5f"},{"fixed":"e6015ca453b82ec54aec9682dcc38773948fcc48"},{"fixed":"7c6bb82a6f3da6ab2d3fbea03901482231708b98"},{"fixed":"2df19f5f6f72da6f6ebab7cdb3a3b9f7686bb476"},{"fixed":"8e0fd2a3b9852ac3cf540edb06ccc0153b38b5af"},{"fixed":"068f6648ff5b0c7adeb6c363fae7fb188aa178fa"},{"fixed":"efdde3d73ab25cef4ff2d06783b0aad8b093c0e4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38152.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}