cve/published/2025/CVE-2025-21869.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21869: powerpc/code-patching: Disable KASAN report during patching via temporary mm

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/code-patching: Disable KASAN report during patching via temporary mm

 Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:

 [   12.028126] ==================================================================
 [   12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0
 [   12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1

 [   12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G                T  6.13.0-P9-dirty #3
 [   12.028408] Tainted: [T]=RANDSTRUCT
 [   12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
 [   12.028500] Call Trace:
 [   12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)
 [   12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708
 [   12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300
 [   12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370
 [   12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40
 [   12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0
 [   12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210
 [   12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590
 [   12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0
 [   12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0
 [   12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930
 [   12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280
 [   12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370
 [   12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00
 [   12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40
 [   12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610
 [   12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280
 [   12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8
 [   12.029608] NIP:  00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000
 [   12.029660] REGS: c000000008dbfe80 TRAP: 3000   Tainted: G                T   (6.13.0-P9-dirty)
 [   12.029735] MSR:  900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI>  CR: 42004848  XER: 00000000
 [   12.029855] IRQMASK: 0
                GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005
                GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008
                GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
                GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000
                GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90
                GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80
                GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8
                GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580
 [   12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8
 [   12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8
 [   12.030405] --- interrupt: 3000
 [   12.030444] ==================================================================

 Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for
 Radix MMU") is inspired from x86 but unlike x86 is doesn't disable
 KASAN reports during patching. This wasn't a problem at the begining
 because __patch_mem() is not instrumented.

 Commit 465cabc97b42 ("powerpc/code-patching: introduce
 patch_instructions()") use copy_to_kernel_nofault() to copy several
 instructions at once. But when using temporary mm the destination is
 not regular kernel memory but a kind of kernel-like memory located
 in user address space. Because it is not in kernel address space it is
 not covered by KASAN shadow memory. Since commit e4137f08816b ("mm,
 kasan, kmsan: instrument copy_from/to_kernel_nofault") KASAN reports
 bad accesses from copy_to_kernel_nofault(). Here a bad access to user
 memory is reported because KASAN detects the lack of shadow memory and
 the address is below TASK_SIZE.

 Do like x86 in commit b3fd8e83ada0 ("x86/alternatives: Use temporary
 mm for text poking") and disable KASAN reports during patching when
 using temporary mm.

 Close: https://lore.kernel.org/all/20250201151435.48400261@yea/

 The Linux kernel CVE team has assigned CVE-2025-21869 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.7 with commit 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2 and fixed in 6.12.17 with commit 5980d4456dd66d1b6505d5ec15048bd87e8775e0
 	Issue introduced in 6.7 with commit 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2 and fixed in 6.13.5 with commit ea291447a4031f3dac5c23d55bc83fe833820d84
 	Issue introduced in 6.7 with commit 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2 and fixed in 6.14 with commit dc9c5166c3cb044f8a001e397195242fd6796eee

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21869
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/lib/code-patching.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0
 	https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84
 	https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21869: powerpc/code-patching: Disable KASAN report during patching via temporary mm

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/code-patching: Disable KASAN report during patching via temporary mm

	Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:

	[ 12.028126] ==================================================================
	[ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0
	[ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1

	[ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3
	[ 12.028408] Tainted: [T]=RANDSTRUCT
	[ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
	[ 12.028500] Call Trace:
	[ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)
	[ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708
	[ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300
	[ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370
	[ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40
	[ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0
	[ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210
	[ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590
	[ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0
	[ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0
	[ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930
	[ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280
	[ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370
	[ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00
	[ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40
	[ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610
	[ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280
	[ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8
	[ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000
	[ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty)
	[ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000
	[ 12.029855] IRQMASK: 0
	GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005
	GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008
	GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
	GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000
	GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90
	GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80
	GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8
	GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580
	[ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8
	[ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8
	[ 12.030405] --- interrupt: 3000
	[ 12.030444] ==================================================================

	Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for
	Radix MMU") is inspired from x86 but unlike x86 is doesn't disable
	KASAN reports during patching. This wasn't a problem at the begining
	because __patch_mem() is not instrumented.

	Commit 465cabc97b42 ("powerpc/code-patching: introduce
	patch_instructions()") use copy_to_kernel_nofault() to copy several
	instructions at once. But when using temporary mm the destination is
	not regular kernel memory but a kind of kernel-like memory located
	in user address space. Because it is not in kernel address space it is
	not covered by KASAN shadow memory. Since commit e4137f08816b ("mm,
	kasan, kmsan: instrument copy_from/to_kernel_nofault") KASAN reports
	bad accesses from copy_to_kernel_nofault(). Here a bad access to user
	memory is reported because KASAN detects the lack of shadow memory and
	the address is below TASK_SIZE.

	Do like x86 in commit b3fd8e83ada0 ("x86/alternatives: Use temporary
	mm for text poking") and disable KASAN reports during patching when
	using temporary mm.

	Close: https://lore.kernel.org/all/20250201151435.48400261@yea/

	The Linux kernel CVE team has assigned CVE-2025-21869 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.7 with commit 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2 and fixed in 6.12.17 with commit 5980d4456dd66d1b6505d5ec15048bd87e8775e0
	Issue introduced in 6.7 with commit 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2 and fixed in 6.13.5 with commit ea291447a4031f3dac5c23d55bc83fe833820d84
	Issue introduced in 6.7 with commit 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2 and fixed in 6.14 with commit dc9c5166c3cb044f8a001e397195242fd6796eee

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21869
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/lib/code-patching.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0
	https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84
	https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee