CVE-2025-38072

Published: June 21, 2025Last modified: June 21, 2025

Description

In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check.

Severity score breakdown

Status

References

• https://git.kernel.org/stable/c/1d1e1efad1cf049e888bf175a5c6be85d792620c
• https://git.kernel.org/stable/c/2bd4a938d2eda96ab7288b8fa5aae84a1de8c4ca
• https://git.kernel.org/stable/c/396c46d3f59a18ebcc500640e749f16e197d472b
• https://git.kernel.org/stable/c/db1aef51b8e66a77f76b1250b914589c31a0a0ed
• https://git.kernel.org/stable/c/e14347f647ca6d76fe1509b6703e340f2d5e2716
• https://git.kernel.org/stable/c/ea3d95e05e97ea20fd6513f647393add16fce3b2
• https://git.kernel.org/stable/c/ef1d3455bbc1922f94a91ed58d3d7db440652959
• https://git.kernel.org/stable/c/f49c337037df029440a8390380dd35d2cf5924d3
• https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
• https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html