{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T01:09:16.537","vulnerabilities":[{"cve":{"id":"CVE-2025-38398","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-25T13:15:29.303","lastModified":"2025-11-19T18:18:07.647","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-qpic-snand: reallocate BAM transactions\n\nUsing the mtd_nandbiterrs module for testing the driver occasionally\nresults in weird things like below.\n\n1. swiotlb mapping fails with the following message:\n\n  [   85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots)\n  [   85.932937] qcom_snand 79b0000.spi: failure in mapping desc\n  [   87.999314] qcom_snand 79b0000.spi: failure to write raw page\n  [   87.999352] mtd_nandbiterrs: error: write_oob failed (-110)\n\n  Rebooting the board after this causes a panic due to a NULL pointer\n  dereference.\n\n2. If the swiotlb mapping does not fail, rebooting the board may result\n   in a different panic due to a bad spinlock magic:\n\n  [  256.104459] BUG: spinlock bad magic on CPU#3, procd/2241\n  [  256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b\n  ...\n\nInvestigating the issue revealed that these symptoms are results of\nmemory corruption which is caused by out of bounds access within the\ndriver.\n\nThe driver uses a dynamically allocated structure for BAM transactions,\nwhich structure must have enough space for all possible variations of\ndifferent flash operations initiated by the driver. The required space\nheavily depends on the actual number of 'codewords' which is calculated\nfrom the pagesize of the actual NAND chip.\n\nAlthough the qcom_nandc_alloc() function allocates memory for the BAM\ntransactions during probe, but since the actual number of 'codewords'\nis not yet know the allocation is done for one 'codeword' only.\n\nBecause of this, whenever the driver does a flash operation, and the\nnumber of the required transactions exceeds the size of the allocated\narrays the driver accesses memory out of the allocated range.\n\nTo avoid this, change the code to free the initially allocated BAM\ntransactions memory, and allocate a new one once the actual number of\n'codewords' required for a given NAND chip is known."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: spi-qpic-snand: reasignar transacciones BAM El uso del módulo mtd_nandbiterrs para probar el controlador ocasionalmente da como resultado cosas extrañas como la siguiente. 1. La asignación de swiotlb falla con el siguiente mensaje: [85.926216] qcom_snand 79b0000.spi: el búfer de swiotlb está lleno (sz: 4294967294 bytes), total 512 (ranuras), usado 0 (ranuras) [85.932937] qcom_snand 79b0000.spi: error en la asignación desc [87.999314] qcom_snand 79b0000.spi: error al escribir la página sin formato [87.999352] mtd_nandbiterrs: error: write_oob falló (-110) Reiniciar la placa después de esto provoca un pánico debido a una desreferencia de puntero NULL. 2. Si el mapeo swiotlb no falla, reiniciar la placa puede resultar en un pánico diferente debido a un spinlock magic defectuoso: [ 256.104459] BUG: spinlock bad magic on CPU#3, procd/2241 [ 256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b ... La investigación del problema reveló que estos síntomas son resultados de la corrupción de memoria que es causada por el acceso fuera de los límites dentro del controlador. El controlador utiliza una estructura asignada dinámicamente para las transacciones BAM, dicha estructura debe tener suficiente espacio para todas las posibles variaciones de diferentes operaciones flash iniciadas por el controlador. El espacio requerido depende en gran medida del número real de 'palabras de código' que se calcula a partir del tamaño de página del chip NAND real. Aunque la función qcom_nandc_alloc() asigna memoria para las transacciones BAM durante el sondeo, pero como el número real de 'palabras de código' aún no se conoce, la asignación se realiza solo para una 'palabra de código'. Por ello, siempre que el controlador realiza una operación de flash y el número de transacciones requeridas excede el tamaño de las matrices asignadas, accede a memoria fuera del rango asignado. Para evitarlo, modifique el código para liberar la memoria de transacciones BAM inicialmente asignada y asigne una nueva una vez que se conozca el número real de palabras de código requeridas para un chip NAND determinado."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.15.6","matchCriteriaId":"575B7891-8019-4D0D-B284-1B8DA410C942"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*","matchCriteriaId":"6D4894DB-CCFE-4602-B1BF-3960B2E19A01"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*","matchCriteriaId":"09709862-E348-4378-8632-5A7813EDDC86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*","matchCriteriaId":"415BF58A-8197-43F5-B3D7-D1D63057A26E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*","matchCriteriaId":"A0517869-312D-4429-80C2-561086E1421C"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/86fb36de1132b560f9305f0c78fa69f459fa0980","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d85d0380292a7e618915069c3579ae23c7c80339","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}