CVE-2025-38226

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38226
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38226.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38226
Downstream
Related
Published
2025-07-04T14:15:31Z
Modified
2025-08-12T21:01:18Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

media: vivid: Change the siize of the composing

syzkaller found a bug:

BUG: KASAN: vmalloc-out-of-bounds in tpgfillplanepattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpgfillplanebuffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304

CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 kasancheckrange+0x282/0x290 mm/kasan/generic.c:189 _asanmemcpy+0x40/0x70 mm/kasan/shadow.c:106 tpgfillplanepattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] tpgfillplanebuffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vividfillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vividthreadvidcaptick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vividthreadvidcap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x7a9/0x920 kernel/kthread.c:464 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 </TASK>

The composition size cannot be larger than the size of fmtcaprect. So execute v4l2rectmapinside() even if hascompose_cap == 0.

References

Affected packages