Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: copy_verifier_state() should copy 'loop_entry' field

The bpf_verifier_state.loop_entry state should be copied by
copy_verifier_state(). Otherwise, .loop_entry values from unrelated
states would poison env->cur_state.

Additionally, env->stack should not contain any states with
.loop_entry != NULL. The states in env->stack are yet to be verified,
while .loop_entry is set for states that reached an equivalent state.
This means that env->cur_state->loop_entry should always be NULL after
pop_stack().

See the selftest in the next commit for an example of the program that
is not safe yet is accepted by verifier w/o this fix.

This change has some verification performance impact for selftests:

File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- -------------
arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%)
arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%)
arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%)
iters.bpf.o ...

Classification

CVE ID: CVE-2025-38060

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.46% (scored less or equal to compared to others)

EPSS Date: 2025-06-22 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38060
https://git.kernel.org/stable/c/46ba5757a7a4714e7d3f68cfe118208822cb3d78
https://git.kernel.org/stable/c/8b4afd89fa75f738a80ca849126fd3cad77bcbf1
https://git.kernel.org/stable/c/bbbc02b7445ebfda13e4847f4f1413c6480a85a9

Timeline