ghsa-2788-7prj-r2qv
Vulnerability from github
Published
2025-04-16 15:34
Modified
2025-04-29 21:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion

When BIOS neglects to assign bus numbers to PCI bridges, the kernel attempts to correct that during PCI device enumeration. If it runs out of bus numbers, no pci_bus is allocated and the "subordinate" pointer in the bridge's pci_dev remains NULL.

The PCIe bandwidth controller erroneously does not check for a NULL subordinate pointer and dereferences it on probe.

Bandwidth control of unusable devices below the bridge is of questionable utility, so simply error out instead. This mirrors what PCIe hotplug does since commit 62e4492c3063 ("PCI: Prevent NULL dereference during pciehp probe").

The PCI core emits a message with KERN_INFO severity if it has run out of bus numbers. PCIe hotplug emits an additional message with KERN_ERR severity to inform the user that hotplug functionality is disabled at the bridge. A similar message for bandwidth control does not seem merited, given that its only purpose so far is to expose an up-to-date link speed in sysfs and throttle the link speed on certain laptops with limited Thermal Design Power. So error out silently.

User-visible messages:

pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring [...] pci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74 pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them [...] pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring [...] BUG: kernel NULL pointer dereference RIP: pcie_update_link_speed pcie_bwnotif_enable pcie_bwnotif_probe pcie_port_probe_service really_probe

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-22031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T15:15:55Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion\n\nWhen BIOS neglects to assign bus numbers to PCI bridges, the kernel\nattempts to correct that during PCI device enumeration.  If it runs out\nof bus numbers, no pci_bus is allocated and the \"subordinate\" pointer in\nthe bridge\u0027s pci_dev remains NULL.\n\nThe PCIe bandwidth controller erroneously does not check for a NULL\nsubordinate pointer and dereferences it on probe.\n\nBandwidth control of unusable devices below the bridge is of questionable\nutility, so simply error out instead.  This mirrors what PCIe hotplug does\nsince commit 62e4492c3063 (\"PCI: Prevent NULL dereference during pciehp\nprobe\").\n\nThe PCI core emits a message with KERN_INFO severity if it has run out of\nbus numbers.  PCIe hotplug emits an additional message with KERN_ERR\nseverity to inform the user that hotplug functionality is disabled at the\nbridge.  A similar message for bandwidth control does not seem merited,\ngiven that its only purpose so far is to expose an up-to-date link speed\nin sysfs and throttle the link speed on certain laptops with limited\nThermal Design Power.  So error out silently.\n\nUser-visible messages:\n\n  pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring\n  [...]\n  pci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74\n  pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them\n  [...]\n  pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring\n  [...]\n  BUG: kernel NULL pointer dereference\n  RIP: pcie_update_link_speed\n  pcie_bwnotif_enable\n  pcie_bwnotif_probe\n  pcie_port_probe_service\n  really_probe",
  "id": "GHSA-2788-7prj-r2qv",
  "modified": "2025-04-29T21:31:46Z",
  "published": "2025-04-16T15:34:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22031"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1181924af78e5299ddec6e457789c02dd5966559"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/667f053b05f00a007738cd7ed6fa1901de19dc7e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d93d309013e89631630a12b1770d27e4be78362a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.