fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var
Summary
| CVE | CVE-2025-38214 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-07-04 14:15:29 UTC |
| Updated | 2026-05-12 13:16:44 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory for fb_videomode, later it may lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resize_screen drivers/tty/vt/vt.c:1176 [inline] vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 ================================================================ The reason is that fb_info->var is being modified in fb_set_var(), and then fb_videomode_to_var() is called. If it fails to add the mode to fb_info->modelist, fb_set_var() returns error, but does not restore the old value of fb_info->var. Restore fb_info->var on failure the same way it is done earlier in the function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-476
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ee20216f12d9482cd70e44dae5e7fabb38367c71 git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 fab201d72fde38d081e2c5d4ad25595c535b7b22 git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 1a10d91766eb6ddfd5414e4785611e33a4fe0f9b git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ff0e037241173b574b385bff53d67567b9816db5 git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 3ca78032a388a0795201792b36e6fc9b6e6e8eed git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 b3071bb463ea1e6c686d0dc9638fc940f2f5cf17 git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 8a3a2887794b2c8e78b3e5d6e3de724527c9f41b git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 05f6e183879d9785a3cdf2f08a498bc31b7a20aa git | Not specified |
| CNA | Linux | Linux | affected 2.6.12 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.12 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.4.295 5.4.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.239 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.186 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.142 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.95 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.35 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.15.4 6.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.16 * original_commit_for_fix | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
| ADP | Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.5 * custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.debian.org/debian-lts-announce/2025/10/msg00008.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| cert-portal.siemens.com/productcert/html/ssa-082556.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/3ca78032a388a0795201792b36e6fc9b6e6e8eed | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/05f6e183879d9785a3cdf2f08a498bc31b7a20aa | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/b3071bb463ea1e6c686d0dc9638fc940f2f5cf17 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/fab201d72fde38d081e2c5d4ad25595c535b7b22 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/ee20216f12d9482cd70e44dae5e7fabb38367c71 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/8a3a2887794b2c8e78b3e5d6e3de724527c9f41b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/ff0e037241173b574b385bff53d67567b9816db5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2025/10/msg00007.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| git.kernel.org/stable/c/1a10d91766eb6ddfd5414e4785611e33a4fe0f9b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.