{"id":"CVE-2025-38214","summary":"fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var\n\nIf fb_add_videomode() in fb_set_var() fails to allocate memory for\nfb_videomode, later it may lead to a null-ptr dereference in\nfb_videomode_to_var(), as the fb_info is registered while not having the\nmode in modelist that is expected to be there, i.e. the one that is\ndescribed in fb_info-\u003evar.\n\n================================================================\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901\nCall Trace:\n display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929\n fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071\n resize_screen drivers/tty/vt/vt.c:1176 [inline]\n vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263\n fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720\n fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776\n do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128\n fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n================================================================\n\nThe reason is that fb_info-\u003evar is being modified in fb_set_var(), and\nthen fb_videomode_to_var() is called. If it fails to add the mode to\nfb_info-\u003emodelist, fb_set_var() returns error, but does not restore the\nold value of fb_info-\u003evar. Restore fb_info-\u003evar on failure the same way\nit is done earlier in the function.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","modified":"2026-04-16T00:03:48.880797604Z","published":"2025-07-04T13:37:32.410Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:03204-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38214.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/05f6e183879d9785a3cdf2f08a498bc31b7a20aa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1a10d91766eb6ddfd5414e4785611e33a4fe0f9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3ca78032a388a0795201792b36e6fc9b6e6e8eed"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8a3a2887794b2c8e78b3e5d6e3de724527c9f41b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b3071bb463ea1e6c686d0dc9638fc940f2f5cf17"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee20216f12d9482cd70e44dae5e7fabb38367c71"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fab201d72fde38d081e2c5d4ad25595c535b7b22"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff0e037241173b574b385bff53d67567b9816db5"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38214.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38214"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"ee20216f12d9482cd70e44dae5e7fabb38367c71"},{"fixed":"fab201d72fde38d081e2c5d4ad25595c535b7b22"},{"fixed":"1a10d91766eb6ddfd5414e4785611e33a4fe0f9b"},{"fixed":"ff0e037241173b574b385bff53d67567b9816db5"},{"fixed":"3ca78032a388a0795201792b36e6fc9b6e6e8eed"},{"fixed":"b3071bb463ea1e6c686d0dc9638fc940f2f5cf17"},{"fixed":"8a3a2887794b2c8e78b3e5d6e3de724527c9f41b"},{"fixed":"05f6e183879d9785a3cdf2f08a498bc31b7a20aa"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38214.json"}}],"schema_version":"1.7.5"}