In the Linux kernel, the following vulnerability has been resolved:

parisc: Revise __get_user() to probe user read access

Because of the way read access support is implemented, read access
interruptions are only triggered at privilege levels 2 and 3. The
kernel executes at privilege level 0, so __get_user() never triggers
a read access interruption (code 26). Thus, it is currently possible
for user code to access a read protected address via a system call.

Fix this by probing read access rights at privilege level 3 (PRIV_USER)
and setting __gu_err to -EFAULT (-14) if access isn't allowed.

Note the cmpiclr instruction does a 32-bit compare because COND macro
doesn't work inside asm.
History

Fri, 05 Sep 2025 17:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus, it is currently possible for user code to access a read protected address via a system call. Fix this by probing read access rights at privilege level 3 (PRIV_USER) and setting __gu_err to -EFAULT (-14) if access isn't allowed. Note the cmpiclr instruction does a 32-bit compare because COND macro doesn't work inside asm.
Title parisc: Revise __get_user() to probe user read access
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2025-09-05T17:21:23.429Z

Reserved: 2025-04-16T07:20:57.117Z

Link: CVE-2025-39716

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2025-09-05T18:15:49.123

Modified: 2025-09-05T18:15:49.123

Link: CVE-2025-39716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.