HIGH
crypto StarFive Overflow
CVE-2025-68763
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: crypto: starfive - Correctly handle return of sg_nents_for_len The return value of sg_nents_for_len was assigned to an unsigned long in starfive_hash_digest, causing negative error codes to be converted to large positive integers. Add error checking for sg_nents_for_len and return immediately on failure to prevent potential buffer overflows.
02KernelScan AI Analysis
Risk summary
A type confusion vulnerability in the StarFive JH7110 crypto driver allows negative error codes from sg_nents_for_len() to be interpreted as large positive integers when calculating scatter-gather list lengths. This can lead to out-of-bounds reads and buffer overflows, potentially causing kernel memory corruption, information disclosure, and system crashes on devices using StarFive JH7110 SoCs. The vulnerability is reachable by unprivileged local users via the kernel crypto API (e.g., AF_ALG sockets).
Vulnerability analysis
The root cause is improper handling of the sg_nents_for_len() return value in starfive_hash_digest(). The function returns a signed integer that can be negative (error code), but was assigned directly to an unsigned long field, causing negative values to wrap to large positive integers. This corrupted length value could then be used to iterate beyond the bounds of the scatter-gather list, resulting in out-of-bounds reads of kernel memory and potential buffer overflows. The fix adds proper error checking by storing the return value in a signed variable, validating it is non-negative, and only then assigning to the unsigned field. The attack surface is local and reachable by unprivileged users through standard crypto hash APIs such as AF_ALG sockets.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.63 | 0c3854d65cc4 |
| 6.17 | 6.17.13 | 1af5c973dd74 |
| 6.18 | 6.18.2 | 9b3f71cf02e0 |
| 6.6 | 6.6.120 | 6cd14414394b |
| mainline | 6.19 | e9eb52037a52 |