Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2025-38066

Description

In the Linux kernel, the following vulnerability has been resolved:dm cache: prevent BUG_ON by blocking retries on failed device resumesA cache device failing to resume due to mapping errors should not beretried, as the failure leaves a partially initialized policy object.Repeating the resume operation risks triggering BUG_ON when reloadingcache mappings into the incomplete policy object.Reproduce steps:1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata.cat <> cmeta.xml EOFdmsetup create cmeta --table "0 8192 linear /dev/sdc 0"cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2dmsetup remove cmeta2. wipe the second array block of the mapping array to simulate data degradations.mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \2>/dev/null | hexdump -e '1/8 "%u\n"')ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \2>/dev/null | hexdump -e '1/8 "%u\n"')dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock3. try bringing up the cache device. The resume is expected to fail due to the broken array block.dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"dmsetup create corig --table "0 524288 linear /dev/sdc 262144"dmsetup create cache --notabledmsetup load cache --table "0 524288 cache /dev/mapper/cmeta \/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"dmsetup resume cache4. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings.dmsetup resume cacheKernel logs:(snip)------------[ cut here ]------------kernel BUG at drivers/md/dm-cache-policy-smq.c:752!Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTICPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3RIP: 0010:smq_load_mapping+0x3e5/0x570Fix by disallowing resume operations for devices that failed theinitial attempt.

POC

Reference

No PoCs from references.

Github

- https://github.com/w4zu/Debian_security