CVE-2025-37893 in Linuxinfo

Summary

by MITRE • 04/18/2025

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Fix off-by-one error in build_prologue()

Vincent reported that running BPF progs with tailcalls on LoongArch causes kernel hard lockup. Debugging the issues shows that the JITed image missing a jirl instruction at the end of the epilogue.

There are two passes in JIT compiling, the first pass set the flags and the second pass generates JIT code based on those flags. With BPF progs mixing bpf2bpf and tailcalls, build_prologue() generates N insns in the first pass and then generates N+1 insns in the second pass. This makes epilogue_offset off by one and we will jump to some unexpected insn and cause lockup. Fix this by inserting a nop insn.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/16/2026

The vulnerability identified as CVE-2025-37893 represents a critical flaw in the Linux kernel's LoongArch architecture support for Berkeley Packet Filter (BPF) execution. This issue manifests as a kernel hard lockup when executing BPF programs that utilize tailcalls on LoongArch processors, creating a denial of service condition that can severely impact system stability. The problem stems from an off-by-one error in the build_prologue() function within the BPF Just-In-Time (JIT) compiler implementation, specifically affecting the handling of instruction pointer calculations during code generation.

The technical root cause involves the dual-pass JIT compilation process employed by the BPF implementation on LoongArch systems. During the first pass, the compiler sets flags and determines the required instruction count for BPF programs that combine bpf2bpf calls with tailcall operations. The second pass then generates the actual JIT code based on these flags. However, when processing programs with mixed BPF call types, the first pass incorrectly calculates N instructions while the second pass actually generates N+1 instructions, creating a discrepancy in the epilogue offset calculation. This offset mismatch causes the JIT compiler to generate incorrect jump instructions that target memory locations containing unexpected instructions, leading to the kernel lockup condition.

The operational impact of this vulnerability extends beyond simple system crashes, as it affects the fundamental BPF execution model on LoongArch platforms. BPF programs are commonly used for network filtering, system monitoring, and security policy enforcement, making this vulnerability particularly dangerous in production environments where such programs are actively deployed. The issue specifically targets systems running Linux kernels with LoongArch architecture support and BPF JIT compilation enabled, potentially affecting servers, network appliances, and embedded systems that rely on BPF for performance-critical operations. The vulnerability demonstrates a classic memory corruption pattern that can be exploited to achieve arbitrary code execution or system compromise, aligning with CWE-121, which describes heap-based buffer overflow conditions.

The fix implemented addresses this issue by inserting a NOP (no operation) instruction to correct the instruction count discrepancy between the two compilation passes. This approach ensures that the epilogue_offset calculation remains accurate regardless of the instruction count variations between passes. The solution follows established security practices for correcting off-by-one errors in low-level code generation and maintains compatibility with existing BPF program functionality. Organizations should prioritize updating their Linux kernel implementations to include this patch, particularly those operating LoongArch-based systems with active BPF usage. The vulnerability highlights the importance of careful instruction pointer management in JIT compilers and the critical need for thorough testing of compilation pass interactions in architecture-specific implementations, aligning with ATT&CK technique T1059.007 for execution through scripting and T1566.002 for social engineering via kernel exploits.

Responsible

Linux

Reservation

04/16/2025

Disclosure

04/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00229

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!