An update for kernel is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2123 Final 1.0 1.0 2025-09-05 Initial 2025-09-05 2025-09-05 openEuler SA Tool V1.0 2025-09-05 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP4 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: error_code(0x0002) - not-present page [ 204.980226] PGD 0 P4D 0 [ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI ... [ 204.997852] Call Trace: [ 204.999074] <TASK> [ 205.000297] start_creating+0x9f/0x1c0 [ 205.001533] debugfs_create_dir+0x1f/0x170 [ 205.002769] ? srso_return_thunk+0x5/0x5f [ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] [ 205.005241] ccp5_init+0x8b2/0x960 [ccp] [ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] [ 205.007709] sp_init+0x5f/0x80 [ccp] [ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] [ 205.010165] ? srso_return_thunk+0x5/0x5f [ 205.011376] local_pci_probe+0x4f/0xb0 [ 205.012584] pci_device_probe+0xdb/0x230 [ 205.013810] really_probe+0xed/0x380 [ 205.015024] __driver_probe_device+0x7e/0x160 [ 205.016240] device_driver_attach+0x2f/0x60 [ 205.017457] bind_store+0x7c/0xb0 [ 205.018663] drv_attr_store+0x28/0x40 [ 205.019868] sysfs_kf_write+0x5f/0x70 [ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 [ 205.022267] vfs_write+0x308/0x440 [ 205.023453] ksys_write+0x6d/0xe0 [ 205.024616] __x64_sys_write+0x1e/0x30 [ 205.025778] x64_sys_call+0x16ba/0x2150 [ 205.026942] do_syscall_64+0x56/0x1e0 [ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 205.029276] RIP: 0033:0x7fbc36f10104 [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5 This patch sets ccp_debugfs_dir to NULL after destroying it in ccp5_debugfs_destroy, allowing the directory dentry to be recreated when rebinding the ccp device. Tested on AMD Ryzen 7 1700X.(CVE-2025-38581) An update for kernel is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2123 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-38581 https://nvd.nist.gov/vuln/detail/CVE-2025-38581 openEuler-20.03-LTS-SP4 bpftool-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm bpftool-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm kernel-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm kernel-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm kernel-debugsource-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm kernel-devel-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm kernel-source-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm kernel-tools-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm kernel-tools-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm kernel-tools-devel-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm perf-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm perf-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm python2-perf-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm python2-perf-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm python3-perf-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm python3-perf-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.aarch64.rpm bpftool-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm bpftool-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-debugsource-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-devel-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-source-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-tools-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-tools-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-tools-devel-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm perf-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm perf-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm python2-perf-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm python2-perf-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm python3-perf-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm python3-perf-debuginfo-4.19.90-2509.1.0.0342.oe2003sp4.x86_64.rpm kernel-4.19.90-2509.1.0.0342.oe2003sp4.src.rpm In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: error_code(0x0002) - not-present page [ 204.980226] PGD 0 P4D 0 [ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI ... [ 204.997852] Call Trace: [ 204.999074] <TASK> [ 205.000297] start_creating+0x9f/0x1c0 [ 205.001533] debugfs_create_dir+0x1f/0x170 [ 205.002769] ? srso_return_thunk+0x5/0x5f [ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] [ 205.005241] ccp5_init+0x8b2/0x960 [ccp] [ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] [ 205.007709] sp_init+0x5f/0x80 [ccp] [ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] [ 205.010165] ? srso_return_thunk+0x5/0x5f [ 205.011376] local_pci_probe+0x4f/0xb0 [ 205.012584] pci_device_probe+0xdb/0x230 [ 205.013810] really_probe+0xed/0x380 [ 205.015024] __driver_probe_device+0x7e/0x160 [ 205.016240] device_driver_attach+0x2f/0x60 [ 205.017457] bind_store+0x7c/0xb0 [ 205.018663] drv_attr_store+0x28/0x40 [ 205.019868] sysfs_kf_write+0x5f/0x70 [ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 [ 205.022267] vfs_write+0x308/0x440 [ 205.023453] ksys_write+0x6d/0xe0 [ 205.024616] __x64_sys_write+0x1e/0x30 [ 205.025778] x64_sys_call+0x16ba/0x2150 [ 205.026942] do_syscall_64+0x56/0x1e0 [ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 205.029276] RIP: 0033:0x7fbc36f10104 [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5 This patch sets ccp_debugfs_dir to NULL after destroying it in ccp5_debugfs_destroy, allowing the directory dentry to be recreated when rebinding the ccp device. Tested on AMD Ryzen 7 1700X. 2025-09-05 CVE-2025-38581 openEuler-20.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-09-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2123