cve/published/2025/CVE-2025-21866.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21866: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC

 Erhard reported the following KASAN hit while booting his PowerMac G4
 with a KASAN-enabled kernel 6.13-rc6:

   BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8
   Write of size 8 at addr f1000000 by task chronyd/1293

   CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G        W          6.13.0-rc6-PMacG4 #2
   Tainted: [W]=WARN
   Hardware name: PowerMac3,6 7455 0x80010303 PowerMac
   Call Trace:
   [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)
   [c24375b0] [c0504998] print_report+0xdc/0x504
   [c2437610] [c050475c] kasan_report+0xf8/0x108
   [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c
   [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8
   [c24376c0] [c004c014] patch_instructions+0x15c/0x16c
   [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c
   [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac
   [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec
   [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478
   [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14
   [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4
   [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890
   [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420
   [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c
   --- interrupt: c00 at 0x5a1274
   NIP:  005a1274 LR: 006a3b3c CTR: 005296c8
   REGS: c2437f40 TRAP: 0c00   Tainted: G        W           (6.13.0-rc6-PMacG4)
   MSR:  0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI>  CR: 24004422  XER: 00000000

   GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932
   GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57
   GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002
   GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001
   NIP [005a1274] 0x5a1274
   LR [006a3b3c] 0x6a3b3c
   --- interrupt: c00

   The buggy address belongs to the virtual mapping at
    [f1000000, f1002000) created by:
    text_area_cpu_up+0x20/0x190

   The buggy address belongs to the physical page:
   page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30
   flags: 0x80000000(zone=2)
   raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001
   raw: 00000000
   page dumped because: kasan: bad access detected

   Memory state around the buggy address:
    f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
              ^
    f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ==================================================================

 f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not
 initialised hence not supposed to be used yet.

 Powerpc text patching infrastructure allocates a virtual memory area
 using get_vm_area() and flags it as VM_ALLOC. But that flag is meant
 to be used for vmalloc() and vmalloc() allocated memory is not
 supposed to be used before a call to __vmalloc_node_range() which is
 never called for that area.

 That went undetected until commit e4137f08816b ("mm, kasan, kmsan:
 instrument copy_from/to_kernel_nofault")

 The area allocated by text_area_cpu_up() is not vmalloc memory, it is
 mapped directly on demand when needed by map_kernel_page(). There is
 no VM flag corresponding to such usage, so just pass no flag. That way
 the area will be unpoisonned and usable immediately.

 The Linux kernel CVE team has assigned CVE-2025-21866 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 5.4.291 with commit 97de5852058a299ba447cd9782fe96488d30108b
 	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 5.10.235 with commit f8d4c5b653c1bc0df56e15658bbf64fc359adc4e
 	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 5.15.179 with commit 6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c
 	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.1.130 with commit c905a3053518212a1017e50bd2be3bee59305bb0
 	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.6.80 with commit 2d542f13d26344e3452eee77613026ce9b653065
 	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.12.17 with commit 8d06e9208184b2851fa79a3a39d6860320c8bdf8
 	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.13.5 with commit 2e6c80423f201405fd65254e52decd21663896f3
 	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.14 with commit d262a192d38e527faa5984629aabda2e0d1c4f54

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21866
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/lib/code-patching.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b
 	https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e
 	https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c
 	https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0
 	https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065
 	https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8
 	https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3
 	https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21866: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC

	Erhard reported the following KASAN hit while booting his PowerMac G4
	with a KASAN-enabled kernel 6.13-rc6:

	BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8
	Write of size 8 at addr f1000000 by task chronyd/1293

	CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2
	Tainted: [W]=WARN
	Hardware name: PowerMac3,6 7455 0x80010303 PowerMac
	Call Trace:
	[c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)
	[c24375b0] [c0504998] print_report+0xdc/0x504
	[c2437610] [c050475c] kasan_report+0xf8/0x108
	[c2437690] [c0505a3c] kasan_check_range+0x24/0x18c
	[c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8
	[c24376c0] [c004c014] patch_instructions+0x15c/0x16c
	[c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c
	[c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac
	[c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec
	[c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478
	[c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14
	[c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4
	[c24379d0] [c027111c] do_seccomp+0x3dc/0x1890
	[c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420
	[c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c
	--- interrupt: c00 at 0x5a1274
	NIP: 005a1274 LR: 006a3b3c CTR: 005296c8
	REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4)
	MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000

	GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932
	GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57
	GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002
	GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001
	NIP [005a1274] 0x5a1274
	LR [006a3b3c] 0x6a3b3c
	--- interrupt: c00

	The buggy address belongs to the virtual mapping at
	[f1000000, f1002000) created by:
	text_area_cpu_up+0x20/0x190

	The buggy address belongs to the physical page:
	page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30
	flags: 0x80000000(zone=2)
	raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001
	raw: 00000000
	page dumped because: kasan: bad access detected

	Memory state around the buggy address:
	f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	>f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	^
	f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	==================================================================

	f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not
	initialised hence not supposed to be used yet.

	Powerpc text patching infrastructure allocates a virtual memory area
	using get_vm_area() and flags it as VM_ALLOC. But that flag is meant
	to be used for vmalloc() and vmalloc() allocated memory is not
	supposed to be used before a call to __vmalloc_node_range() which is
	never called for that area.

	That went undetected until commit e4137f08816b ("mm, kasan, kmsan:
	instrument copy_from/to_kernel_nofault")

	The area allocated by text_area_cpu_up() is not vmalloc memory, it is
	mapped directly on demand when needed by map_kernel_page(). There is
	no VM flag corresponding to such usage, so just pass no flag. That way
	the area will be unpoisonned and usable immediately.

	The Linux kernel CVE team has assigned CVE-2025-21866 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 5.4.291 with commit 97de5852058a299ba447cd9782fe96488d30108b
	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 5.10.235 with commit f8d4c5b653c1bc0df56e15658bbf64fc359adc4e
	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 5.15.179 with commit 6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c
	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.1.130 with commit c905a3053518212a1017e50bd2be3bee59305bb0
	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.6.80 with commit 2d542f13d26344e3452eee77613026ce9b653065
	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.12.17 with commit 8d06e9208184b2851fa79a3a39d6860320c8bdf8
	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.13.5 with commit 2e6c80423f201405fd65254e52decd21663896f3
	Issue introduced in 4.13 with commit 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 and fixed in 6.14 with commit d262a192d38e527faa5984629aabda2e0d1c4f54

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21866
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/lib/code-patching.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b
	https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e
	https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c
	https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0
	https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065
	https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8
	https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3
	https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54