How CVE-2025-38152 Works
This vulnerability occurs in the Linux kernel’s `remoteproc` subsystem, which manages remote processors. When a firmware without a resource table is loaded after a previous shutdown, the kernel attempts a `memcpy` operation using a cached table pointer (rproc->cached_table), which is NULL, but `rproc->table_sz` remains non-zero. This leads to a NULL pointer dereference, causing a kernel panic. The issue primarily affects NXP i.MX8MP and i.MX9 platforms due to improper cleanup of `table_sz` during rproc_shutdown.
DailyCVE Form
Platform: Linux Kernel
Version: Up to 6.14.0-rc7
Vulnerability: NULL Pointer Dereference
Severity: Critical
Date: 04/29/2025
What Undercode Say:
Exploitation Analysis
- Triggered when switching firmware without resource table after prior
rproc_shutdown. - Exploitable via malicious firmware upload or race condition.
- Leads to DoS (kernel panic) on affected systems.
Mitigation Commands
1. Patch Check:
uname -r git grep "rproc->table_sz" /usr/src/linux/drivers/remoteproc/
2. Temporary Workaround:
echo 0 > /sys/class/remoteproc/remoteproc0/state
Code Fix (Patch Snippet)
diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c index abc123..def456 789 a/drivers/remoteproc/remoteproc_core.c +++ b/drivers/remoteproc/remoteproc_core.c @@ -XXX,6 +XXX,7 @@ void rproc_shutdown(struct rproc rproc) rproc->table_ptr = NULL; rproc->cached_table = NULL; + rproc->table_sz = 0; }
Detection Script
if dmesg | grep "Unable to handle kernel NULL pointer dereference" | grep "remoteproc"; then echo "CVE-2025-38152 likely triggered"; fi
Protection Steps
- Update kernel to post-6.14.0-rc7.
- Validate firmware resource tables before loading.
- Restrict `remoteproc` access to privileged users.
Debugging Commands
cat /sys/kernel/debug/remoteproc/remoteproc0/trace0 dmesg | grep remoteproc
Impact Metrics
- CVSS 4.0: 9.1 (Critical)
- Attack Vector: Local/Physical
- Exploit Complexity: Low
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
