{"id":72512,"date":"2025-10-28T15:45:42","date_gmt":"2025-10-28T12:15:42","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-40079-riscv-bpf-sign-extend-struct-ops-return-values-properly\/"},"modified":"2025-10-28T15:45:42","modified_gmt":"2025-10-28T12:15:42","slug":"cve-2025-40079-riscv-bpf-sign-extend-struct-ops-return-values-properly","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-40079-riscv-bpf-sign-extend-struct-ops-return-values-properly\/","title":{"rendered":"CVE-2025-40079 &#8211; riscv, bpf: Sign extend struct ops return values properly"},"content":{"rendered":"<p>CVE ID : CVE-2025-40079<\/p>\n<p>Published :  Oct. 28, 2025, 12:15 p.m. | 29\u00a0minutes ago<\/p>\n<p>Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>riscv, bpf: Sign extend struct ops return values properly<\/p>\n<p>The ns_bpf_qdisc selftest triggers a kernel panic:<\/p>\n<p>    Unable to handle kernel paging request at virtual address ffffffffa38dbf58<br \/>\n    Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000<br \/>\n    [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000<br \/>\n    Oops [#1]\n    Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [&#8230;] [last unloaded: bpf_testmod(OE)]\n    CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G        W  OE       6.17.0-rc1-g2465bb83e0b4 #1 NONE<br \/>\n    Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br \/>\n    Hardware name: Unknown Unknown Product\/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01\/01\/2024<br \/>\n    epc : __qdisc_run+0x82\/0x6f0<br \/>\n     ra : __qdisc_run+0x6e\/0x6f0<br \/>\n    epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550<br \/>\n     gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180<br \/>\n     t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0<br \/>\n     s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001<br \/>\n     a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000<br \/>\n     a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049<br \/>\n     s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000<br \/>\n     s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0<br \/>\n     s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000<br \/>\n     s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000<br \/>\n     t5 : 0000000000000000 t6 : ff60000093a6a8b6<br \/>\n    status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d<br \/>\n    [] __qdisc_run+0x82\/0x6f0<br \/>\n    [] __dev_queue_xmit+0x4c0\/0x1128<br \/>\n    [] neigh_resolve_output+0xd0\/0x170<br \/>\n    [] ip6_finish_output2+0x226\/0x6c8<br \/>\n    [] ip6_finish_output+0x10c\/0x2a0<br \/>\n    [] ip6_output+0x5e\/0x178<br \/>\n    [] ip6_xmit+0x29a\/0x608<br \/>\n    [] inet6_csk_xmit+0xe6\/0x140<br \/>\n    [] __tcp_transmit_skb+0x45c\/0xaa8<br \/>\n    [] tcp_connect+0x9ce\/0xd10<br \/>\n    [] tcp_v6_connect+0x4ac\/0x5e8<br \/>\n    [] __inet_stream_connect+0xd8\/0x318<br \/>\n    [] inet_stream_connect+0x3e\/0x68<br \/>\n    [] __sys_connect_file+0x50\/0x88<br \/>\n    [] __sys_connect+0x96\/0xc8<br \/>\n    [] __riscv_sys_connect+0x20\/0x30<br \/>\n    [] do_trap_ecall_u+0x256\/0x378<br \/>\n    [] handle_exception+0x14a\/0x156<br \/>\n    Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709<br \/>\n    &#8212;[ end trace 0000000000000000 ]&#8212;<\/p>\n<p>The bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer<br \/>\nis treated as a 32bit value and sign extend to 64bit in epilogue. This<br \/>\nbehavior is right for most bpf prog types but wrong for struct ops which<br \/>\nrequires RISC-V ABI.<\/p>\n<p>So let&#8217;s sign extend struct ops return values according to the function<br \/>\nmodel and RISC-V ABI([0]).<\/p>\n<p>  [0]: https:\/\/riscv.org\/wp-content\/uploads\/2024\/12\/riscv-calling.pdf<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-40079 Published : Oct. 28, 2025, 12:15 p.m. | 29\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Sign extend struct ops return values properly The ns_bpf_qdisc selftest triggers a kernel panic: Unable to handle kernel paging request at virtual address ffffffffa38dbf58 Current test_progs pgtable: &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-72512","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=72512"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72512\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=72512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=72512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=72512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}