CVE-2025-38434

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38434
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38434.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38434
Downstream
Published
2025-07-25T14:32:08.089Z
Modified
2025-12-05T09:39:30.721359Z
Summary
Revert "riscv: Define TASK_SIZE_MAX for __access_ok()"
Details

In the Linux kernel, the following vulnerability has been resolved:

Revert "riscv: Define TASKSIZEMAX for _accessok()"

This reverts commit ad5643cf2f69 ("riscv: Define TASKSIZEMAX for _accessok()").

This commit changes TASKSIZEMAX to be LONGMAX to optimize accessok(), because the previous TASKSIZEMAX (default to TASK_SIZE) requires some computation.

The reasoning was that all user addresses are less than LONGMAX, and all kernel addresses are greater than LONGMAX. Therefore access_ok() can filter kernel addresses.

Addresses between TASKSIZE and LONGMAX are not valid user addresses, but access_ok() let them pass. That was thought to be okay, because they are not valid addresses at hardware level.

Unfortunately, one case is missed: getuserpagesfast() happily accepts addresses between TASKSIZE and LONGMAX. futex(), for instance, uses getuserpagesfast(). This causes the problem reported by Robert [1].

Therefore, revert this commit. TASKSIZEMAX is changed to the default: TASK_SIZE.

This unfortunately reduces performance, because TASKSIZE is more expensive to compute compared to LONGMAX. But correctness first, we can think about optimization later, if required.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38434.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ad5643cf2f699989daa85d909403febd6712fccb
Fixed
fe30c30bf3bb68d4a4d8c7c814769857b5c973e6
Fixed
f8b1898748dfeb4f9b67b6a6d661f354b9de3523
Fixed
890ba5be6335dbbbc99af14ea007befb5f83f174

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
v6.16-rc1
v6.9
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.36
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.5