CVE-2025-38284 in Linux
Summary
by MITRE • 07/10/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: pci: configure manual DAC mode via PCI config API only
To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA.
With NULL mmap address, kernel throws trace:
BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci]
RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: <TASK> rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci]
rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci]
rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci]
? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/07/2025
The vulnerability identified as CVE-2025-38284 resides within the Linux kernel's wireless driver implementation, specifically in the rtw89_pci module responsible for handling Realtek 802.11 wireless devices. This issue manifests during the initialization phase of PCI-based wireless adapters where the driver attempts to configure the device for 36-bit DMA support. The core technical flaw stems from an improper sequence in accessing hardware configuration registers, where the driver tries to set up chip-specific proprietary bits before the PCI memory mapping is fully established. According to the kernel trace, this results in a page fault when attempting to write to address 0x1090, indicating an attempt to access unmapped memory during device initialization. The error occurs within the rtw89_pci_ops_write16 function, which is part of the PCI configuration space access routines, and ultimately leads to a kernel oops condition that terminates the device probing process.
The operational impact of this vulnerability is significant as it prevents proper initialization of certain Realtek wireless PCI devices, particularly those requiring 36-bit DMA support for optimal performance. When the kernel encounters this issue during boot or device insertion, it fails to properly configure the wireless adapter, resulting in device malfunction or complete non-functionality. The vulnerability specifically affects systems using the rtw89 wireless driver where the hardware requires 36-bit DMA capabilities but the driver cannot access the necessary configuration registers through the standard PCI configuration API due to the premature initialization sequence. This issue is particularly concerning in enterprise or embedded environments where wireless connectivity is critical for system operation, as it could lead to unexpected device failures or require manual intervention to disable problematic wireless hardware.
The root cause of this vulnerability can be traced to a violation of proper initialization sequencing, which aligns with CWE-691, "Insufficient Control Flow Management", and CWE-835, "Loop with Unreachable Exit Condition". The driver's failure to check for proper memory mapping availability before attempting hardware register access creates a condition where kernel memory management routines are invoked with invalid addresses. Additionally, this vulnerability relates to the ATT&CK technique T1059.001, "Command and Scripting Interpreter: PowerShell", in that it involves kernel-level scripting through device drivers, and T1490, "Inhibit System Recovery", as it prevents proper system initialization. The fix implemented addresses this by ensuring that only PCI configuration API access is used for setting the DAC mode, which is accessible before the mmap is established, thereby avoiding the premature access to unmapped memory regions. This remediation approach aligns with security best practices by ensuring proper resource initialization order and preventing unauthorized memory access patterns that could potentially be exploited in more sophisticated attacks. The patch effectively ensures that the driver gracefully falls back to 32-bit DMA when 36-bit DMA cannot be properly configured, maintaining system stability while preventing the kernel oops condition that would otherwise occur.