{"schema_version":"1.7.2","id":"OESA-2025-1627","modified":"2025-06-13T14:19:56Z","published":"2025-06-13T14:19:56Z","upstream":["CVE-2023-53082","CVE-2025-23148","CVE-2025-23156","CVE-2025-37923","CVE-2025-37995"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvp_vdpa: fix the crash in hot unplug with vp_vdpa\n\nWhile unplugging the vp_vdpa device, it triggers a kernel panic\nThe root cause is: vdpa_mgmtdev_unregister() will accesses modern\ndevices which will cause a use after free.\nSo need to change the sequence in vp_vdpa_remove\n\n[  195.003359] BUG: unable to handle page fault for address: ff4e8beb80199014\n[  195.004012] #PF: supervisor read access in kernel mode\n[  195.004486] #PF: error_code(0x0000) - not-present page\n[  195.004960] PGD 100000067 P4D 1001b6067 PUD 1001b7067 PMD 1001b8067 PTE 0\n[  195.005578] Oops: 0000 1 PREEMPT SMP PTI\n[  195.005968] CPU: 13 PID: 164 Comm: kworker/u56:10 Kdump: loaded Not tainted 5.14.0-252.el9.x86_64 #1\n[  195.006792] Hardware name: Red Hat KVM/RHEL, BIOS edk2-20221207gitfff6d81270b5-2.el9 unknown\n[  195.007556] Workqueue: kacpi_hotplug acpi_hotplug_work_fn\n[  195.008059] RIP: 0010:ioread8+0x31/0x80\n[  195.008418] Code: 77 28 48 81 ff 00 00 01 00 76 0b 89 fa ec 0f b6 c0 c3 cc cc cc cc 8b 15 ad 72 93 01 b8 ff 00 00 00 85 d2 75 0f c3 cc cc cc cc \u0026lt;8a\u0026gt; 07 0f b6 c0 c3 cc cc cc cc 83 ea 01 48 83 ec 08 48 89 fe 48 c7\n[  195.010104] RSP: 0018:ff4e8beb8067bab8 EFLAGS: 00010292\n[  195.010584] RAX: ffffffffc05834a0 RBX: ffffffffc05843c0 RCX: ff4e8beb8067bae0\n[  195.011233] RDX: ff1bcbd580f88000 RSI: 0000000000000246 RDI: ff4e8beb80199014\n[  195.011881] RBP: ff1bcbd587e39000 R08: ffffffff916fa2d0 R09: ff4e8beb8067ba68\n[  195.012527] R10: 000000000000001c R11: 0000000000000000 R12: ff1bcbd5a3de9120\n[  195.013179] R13: ffffffffc062d000 R14: 0000000000000080 R15: ff1bcbe402bc7805\n[  195.013826] FS:  0000000000000000(0000) GS:ff1bcbe402740000(0000) knlGS:0000000000000000\n[  195.014564] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  195.015093] CR2: ff4e8beb80199014 CR3: 0000000107dea002 CR4: 0000000000771ee0\n[  195.015741] PKRU: 55555554\n[  195.016001] Call Trace:\n[  195.016233]  \u0026lt;TASK\u0026gt;\n[  195.016434]  vp_modern_get_status+0x12/0x20\n[  195.016823]  vp_vdpa_reset+0x1b/0x50 [vp_vdpa]\n[  195.017238]  virtio_vdpa_reset+0x3c/0x48 [virtio_vdpa]\n[  195.017709]  remove_vq_common+0x1f/0x3a0 [virtio_net]\n[  195.018178]  virtnet_remove+0x5d/0x70 [virtio_net]\n[  195.018618]  virtio_dev_remove+0x3d/0x90\n[  195.018986]  device_release_driver_internal+0x1aa/0x230\n[  195.019466]  bus_remove_device+0xd8/0x150\n[  195.019841]  device_del+0x18b/0x3f0\n[  195.020167]  ? kernfs_find_ns+0x35/0xd0\n[  195.020526]  device_unregister+0x13/0x60\n[  195.020894]  unregister_virtio_device+0x11/0x20\n[  195.021311]  device_release_driver_internal+0x1aa/0x230\n[  195.021790]  bus_remove_device+0xd8/0x150\n[  195.022162]  device_del+0x18b/0x3f0\n[  195.022487]  device_unregister+0x13/0x60\n[  195.022852]  ? vdpa_dev_remove+0x30/0x30 [vdpa]\n[  195.023270]  vp_vdpa_dev_del+0x12/0x20 [vp_vdpa]\n[  195.023694]  vdpa_match_remove+0x2b/0x40 [vdpa]\n[  195.024115]  bus_for_each_dev+0x78/0xc0\n[  195.024471]  vdpa_mgmtdev_unregister+0x65/0x80 [vdpa]\n[  195.024937]  vp_vdpa_remove+0x23/0x40 [vp_vdpa]\n[  195.025353]  pci_device_remove+0x36/0xa0\n[  195.025719]  device_release_driver_internal+0x1aa/0x230\n[  195.026201]  pci_stop_bus_device+0x6c/0x90\n[  195.026580]  pci_stop_and_remove_bus_device+0xe/0x20\n[  195.027039]  disable_slot+0x49/0x90\n[  195.027366]  acpiphp_disable_and_eject_slot+0x15/0x90\n[  195.027832]  hotplug_event+0xea/0x210\n[  195.028171]  ? hotplug_event+0x210/0x210\n[  195.028535]  acpiphp_hotplug_notify+0x22/0x80\n[  195.028942]  ? hotplug_event+0x210/0x210\n[  195.029303]  acpi_device_hotplug+0x8a/0x1d0\n[  195.029690]  acpi_hotplug_work_fn+0x1a/0x30\n[  195.030077]  process_one_work+0x1e8/0x3c0\n[  195.030451]  worker_thread+0x50/0x3b0\n[  195.030791]  ? rescuer_thread+0x3a0/0x3a0\n[  195.031165]  kthread+0xd9/0x100\n[  195.031459]  ? kthread_complete_and_exit+0x20/0x20\n[  195.031899]  ret_from_fork+0x22/0x30\n[  195.032233]  \u0026lt;/TASK\u0026gt;(CVE-2023-53082)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsoc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()\n\nsoc_dev_attr-\u0026gt;revision could be NULL, thus,\na pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\u0026quot;ice: Fix some null pointer dereference issues in ice_ptp.c\u0026quot;).\n\nThis issue is found by our static analysis tool.(CVE-2025-23148)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi_parser: refactor hfi packet parsing logic\n\nwords_count denotes the number of words in total payload, while data\npoints to payload of various property within it. When words_count\nreaches last word, data can access memory beyond the total payload. This\ncan lead to OOB access. With this patch, the utility api for handling\nindividual properties now returns the size of data consumed. Accordingly\nremaining bytes are calculated before parsing the payload, thereby\neliminates the OOB access possibilities.(CVE-2025-23156)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix oob write in trace_seq_to_buffer()\n\nsyzbot reported this bug:\n==================================================================\nBUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]\nBUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822\nWrite of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260\n\nCPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n \u0026lt;TASK\u0026gt;\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106\n trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]\n tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822\n ....\n==================================================================\n\nIt has been reported that trace_seq_to_buffer() tries to copy more data\nthan PAGE_SIZE to buf. Therefore, to prevent this, we should use the\nsmaller of trace_seq_used(\u0026amp;iter-\u0026gt;seq) and PAGE_SIZE as an argument.(CVE-2025-37923)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmodule: ensure that kobject_put() is safe for module type kobjects\n\nIn \u0026apos;lookup_or_create_module_kobject()\u0026apos;, an internal kobject is created\nusing \u0026apos;module_ktype\u0026apos;. So call to \u0026apos;kobject_put()\u0026apos; on error handling\npath causes an attempt to use an uninitialized completion pointer in\n\u0026apos;module_kobject_release()\u0026apos;. In this scenario, we just want to release\nkobject without an extra synchronization required for a regular module\nunloading process, so adding an extra check whether \u0026apos;complete()\u0026apos; is\nactually required makes \u0026apos;kobject_put()\u0026apos; safe.(CVE-2025-37995)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-267.0.0.169.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","perf-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-267.0.0.169.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-267.0.0.169.oe2203sp3.src.rpm"],"x86_64":["kernel-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","perf-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-267.0.0.169.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1627"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53082"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23148"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23156"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37923"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37995"}],"database_specific":{"severity":"High"}}