CVE-2025-40346

Vulnerability

Description

CVE-2025-40346 is a bug in the Linux kernel's arch_topology subsystem, specifically in the topology_parse_cpu_capacity() function. The root cause is an incorrect application of PTR_ERR_OR_ZERO() for checking the result of of_clk_get() [1]. According to the kernel's include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns an error code if the pointer is an error pointer, and 0 otherwise. Since both a valid pointer and a NULL pointer result in a 0 return value, the condition !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true when cpu_clk is either valid or NULL [1]. This means the code proceeds to call clk_get_rate() even when cpu_clk is NULL, leading to a potential NULL pointer dereference [1].

Exploitation

Scenario

Exploitation requires that of_clk_get() returns NULL, which can occur if the CPU clock is not properly defined in the device tree or if the clock lookup fails [1]. The error was introduced due to a misunderstanding of the return semantics of PTR_ERR_OR_ZERO() [1]. An attacker with the ability to influence the device tree or to trigger a clock lookup failure could cause the kernel to dereference a NULL pointer. This could happen either through local access (e.g., modifying the device tree via a kernel module or a privileged user) or possibly through a crafted hardware configuration.

Impact

If successfully triggered, the NULL pointer dereference in clk_get_rate() could cause a kernel panic, leading to a denial of service (DoS) on the affected system [1]. No privilege escalation or arbitrary code execution is described in the references. The vulnerability affects the CPU capacity parsing logic, which is used in CPU frequency scaling and scheduling; a crash could disrupt system operation until a reboot.

Mitigation

The fix replaces the flawed !PTR_ERR_OR_ZERO(cpu_clk) check with !IS_ERR_OR_NULL(cpu_clk), which correctly ensures that only valid (non-error, non-NULL) pointers are used [1]. Patches were applied to the stable kernel trees as indicated by the commit references [1][2][3]. Users should update to a kernel version containing these fixes, or apply the patch manually if on a maintained version.