CVE-2025-38055 (GCVE-0-2025-38055)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-18 09:33
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 <NMI> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes. The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway. Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 722e42e45c2f1c6d1adec7813651dba5139f52f4 , < ca51db23166767a8445deb8331c9b8d5205d9287 (git)
Affected: 722e42e45c2f1c6d1adec7813651dba5139f52f4 , < 0b1874a5b1173fbcb2185ab828f4c33d067e551e (git)
Affected: 722e42e45c2f1c6d1adec7813651dba5139f52f4 , < 99bcd91fabada0dbb1d5f0de44532d8008db93c6 (git)
Affected: a9d6d466bcf0621a872e1052bc40e4c6f0541b8d (git)
Create a notification for this product.
    Linux Linux Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/ds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca51db23166767a8445deb8331c9b8d5205d9287",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "lessThan": "0b1874a5b1173fbcb2185ab828f4c33d067e551e",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "lessThan": "99bcd91fabada0dbb1d5f0de44532d8008db93c6",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a9d6d466bcf0621a872e1052bc40e4c6f0541b8d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/ds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\n\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault.  For example:\n\n    BUG: kernel NULL pointer dereference, address: 0000000000000195\n    \u003cNMI\u003e\n    ? __die_body.cold+0x19/0x27\n    ? page_fault_oops+0xca/0x290\n    ? exc_page_fault+0x7e/0x1b0\n    ? asm_exc_page_fault+0x26/0x30\n    ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n    ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\n    intel_pmu_drain_pebs_icl+0x333/0x350\n    handle_pmi_common+0x272/0x3c0\n    intel_pmu_handle_irq+0x10a/0x2e0\n    perf_event_nmi_handler+0x2a/0x50\n\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\n\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\n\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of \u0027size\u0027.  Note, prior to the Fixes\ncommit, \u0027size\u0027 would be limited to the maximum counter index, so the issue\nwas not hit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:35.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e"
        },
        {
          "url": "https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6"
        }
      ],
      "title": "perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38055",
    "datePublished": "2025-06-18T09:33:35.556Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-06-18T09:33:35.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38055\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:38.213\",\"lastModified\":\"2025-11-14T17:07:02.240\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\\n\\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\\nperiod, causes a segfault.  For example:\\n\\n    BUG: kernel NULL pointer dereference, address: 0000000000000195\\n    \u003cNMI\u003e\\n    ? __die_body.cold+0x19/0x27\\n    ? page_fault_oops+0xca/0x290\\n    ? exc_page_fault+0x7e/0x1b0\\n    ? asm_exc_page_fault+0x26/0x30\\n    ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\\n    ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\\n    intel_pmu_drain_pebs_icl+0x333/0x350\\n    handle_pmi_common+0x272/0x3c0\\n    intel_pmu_handle_irq+0x10a/0x2e0\\n    perf_event_nmi_handler+0x2a/0x50\\n\\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\\npebs_enabled bits represent counter indexes, which is not always the case.\\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\\n\\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\\nadjusted anyway.\\n\\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\\nthe mask of counter bits instead of \u0027size\u0027.  Note, prior to the Fixes\\ncommit, \u0027size\u0027 would be limited to the maximum counter index, so the issue\\nwas not hit.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/x86/intel: Correcci\u00f3n de una falla de segmentaci\u00f3n con PEBS-via-PT con sample_freq. Actualmente, usar PEBS-via-PT con una frecuencia de muestreo en lugar de un periodo de muestreo provoca una falla de segmentaci\u00f3n. Por ejemplo: Error: Desreferencia de puntero nulo del kernel, direcci\u00f3n: 0000000000000195  ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 Esto sucede porque intel_pmu_pebs_event_update_no_drain() asume que todos los bits pebs_enabled representan \u00edndices de contador, lo que no siempre es el caso. En este caso particular, los bits 60 y 61 se establecen para fines de PEBS a trav\u00e9s de PT. El comportamiento de PEBS a trav\u00e9s de PT con frecuencia de muestreo es cuestionable porque, aunque se genera un PMI (PEBS_PMI_AFTER_EACH_RECORD), el per\u00edodo no se ajusta de todos modos. Dejando eso de lado, corrija intel_pmu_pebs_event_update_no_drain() pasando la m\u00e1scara de bits del contador en lugar de \u0027size\u0027. Tenga en cuenta que, antes de el commit de las correcciones, \u0027size\u0027 estaba limitado al \u00edndice m\u00e1ximo del contador, por lo que el problema no se solucion\u00f3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10.5\",\"versionEndExcluding\":\"6.12.31\",\"matchCriteriaId\":\"7574F099-495B-4736-9856-4051B64518D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.14.9\",\"matchCriteriaId\":\"A9B72DD1-715C-4101-A720-1C8D70044C06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D465631-2980-487A-8E65-40AE2B9F8ED1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C9D071F-B28E-46EC-AC61-22B913390211\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"13FC0DDE-E513-465E-9E81-515702D49B74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C7B5B0E-4EEB-48F5-B4CF-0935A7633845\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D240580-3048-49B2-9E27-F115A9DF8224\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"90320558-E553-4EF5-8A0B-0F5D20113BD2\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.