GHSA-3G7H-WV72-Q2HF

Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-11-20 21:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

dm: limit swapping tables for devices with zone write plugs

dm_revalidate_zones() only allowed new or previously unzoned devices to call blk_revalidate_disk_zones(). If the device was already zoned, disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones() returned without doing any work. This would make the zoned settings for the device not match the new table. If the device had zone write plug resources, it could run into errors like bdev_zone_is_seq() reading invalid memory because disk->conv_zones_bitmap was the wrong size.

If the device doesn't have any zone write plug resources, calling blk_revalidate_disk_zones() will always correctly update device. If blk_revalidate_disk_zones() fails, it can still overwrite or clear the current disk->nr_zones value. In this case, DM must restore the previous value of disk->nr_zones, so that the zoned settings will continue to match the previous value that it fell back to.

If the device already has zone write plug resources, blk_revalidate_disk_zones() will not correctly update them, if it is called for arbitrary zoned device changes. Since there is not much need for this ability, the easiest solution is to disallow any table reloads that change the zoned settings, for devices that already have zone plug resources. Specifically, if a device already has zone plug resources allocated, it can only switch to another zoned table that also emulates zone append. Also, it cannot change the device size or the zone size. A device can switch to an error target.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38140"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: limit swapping tables for devices with zone write plugs\n\ndm_revalidate_zones() only allowed new or previously unzoned devices to\ncall blk_revalidate_disk_zones(). If the device was already zoned,\ndisk-\u003enr_zones would always equal md-\u003enr_zones, so dm_revalidate_zones()\nreturned without doing any work. This would make the zoned settings for\nthe device not match the new table. If the device had zone write plug\nresources, it could run into errors like bdev_zone_is_seq() reading\ninvalid memory because disk-\u003econv_zones_bitmap was the wrong size.\n\nIf the device doesn\u0027t have any zone write plug resources, calling\nblk_revalidate_disk_zones() will always correctly update device.  If\nblk_revalidate_disk_zones() fails, it can still overwrite or clear the\ncurrent disk-\u003enr_zones value. In this case, DM must restore the previous\nvalue of disk-\u003enr_zones, so that the zoned settings will continue to\nmatch the previous value that it fell back to.\n\nIf the device already has zone write plug resources,\nblk_revalidate_disk_zones() will not correctly update them, if it is\ncalled for arbitrary zoned device changes.  Since there is not much need\nfor this ability, the easiest solution is to disallow any table reloads\nthat change the zoned settings, for devices that already have zone plug\nresources.  Specifically, if a device already has zone plug resources\nallocated, it can only switch to another zoned table that also emulates\nzone append.  Also, it cannot change the device size or the zone size. A\ndevice can switch to an error target.",
  "id": "GHSA-3g7h-wv72-q2hf",
  "modified": "2025-11-20T21:30:29Z",
  "published": "2025-07-03T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38140"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/121218bef4c1df165181f5cd8fc3a2246bac817e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac8acb0bfd98a1c65f3ca9a3e217a766124eebd8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.