GHSA-3G9V-MX9V-WMWV

Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-11-19 21:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: fix eswitch code memory leak in reset scenario

Add simple eswitch mode checker in attaching VF procedure and allocate required port representor memory structures only in switchdev mode. The reset flows triggers VF (if present) detach/attach procedure. It might involve VF port representor(s) re-creation if the device is configured is switchdev mode (not legacy one). The memory was blindly allocated in current implementation, regardless of the mode and not freed if in legacy mode.

Kmemeleak trace: unreferenced object (percpu) 0x7e3bce5b888458 (size 40): comm "bash", pid 1784, jiffies 4295743894 hex dump (first 32 bytes on cpu 45): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): pcpu_alloc_noprof+0x4c4/0x7c0 ice_repr_create+0x66/0x130 [ice] ice_repr_create_vf+0x22/0x70 [ice] ice_eswitch_attach_vf+0x1b/0xa0 [ice] ice_reset_all_vfs+0x1dd/0x2f0 [ice] ice_pci_err_resume+0x3b/0xb0 [ice] pci_reset_function+0x8f/0x120 reset_store+0x56/0xa0 kernfs_fop_write_iter+0x120/0x1b0 vfs_write+0x31c/0x430 ksys_write+0x61/0xd0 do_syscall_64+0x5b/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Testing hints (ethX is PF netdev): - create at least one VF echo 1 > /sys/class/net/ethX/device/sriov_numvfs - trigger the reset echo 1 > /sys/class/net/ethX/device/reset

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T14:15:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix eswitch code memory leak in reset scenario\n\nAdd simple eswitch mode checker in attaching VF procedure and allocate\nrequired port representor memory structures only in switchdev mode.\nThe reset flows triggers VF (if present) detach/attach procedure.\nIt might involve VF port representor(s) re-creation if the device is\nconfigured is switchdev mode (not legacy one).\nThe memory was blindly allocated in current implementation,\nregardless of the mode and not freed if in legacy mode.\n\nKmemeleak trace:\nunreferenced object (percpu) 0x7e3bce5b888458 (size 40):\n  comm \"bash\", pid 1784, jiffies 4295743894\n  hex dump (first 32 bytes on cpu 45):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 0):\n    pcpu_alloc_noprof+0x4c4/0x7c0\n    ice_repr_create+0x66/0x130 [ice]\n    ice_repr_create_vf+0x22/0x70 [ice]\n    ice_eswitch_attach_vf+0x1b/0xa0 [ice]\n    ice_reset_all_vfs+0x1dd/0x2f0 [ice]\n    ice_pci_err_resume+0x3b/0xb0 [ice]\n    pci_reset_function+0x8f/0x120\n    reset_store+0x56/0xa0\n    kernfs_fop_write_iter+0x120/0x1b0\n    vfs_write+0x31c/0x430\n    ksys_write+0x61/0xd0\n    do_syscall_64+0x5b/0x180\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTesting hints (ethX is PF netdev):\n- create at least one VF\n    echo 1 \u003e /sys/class/net/ethX/device/sriov_numvfs\n- trigger the reset\n    echo 1 \u003e /sys/class/net/ethX/device/reset",
  "id": "GHSA-3g9v-mx9v-wmwv",
  "modified": "2025-11-19T21:31:16Z",
  "published": "2025-07-25T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38417"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48c8b214974dc55283bd5f12e3a483b27c403bbc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6715193de439b79f1d6a4c03593c7529239b545"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e97a7a051b55f55f276c1568491d0ed7f890ee94"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.