cve/published/2025/CVE-2025-21881.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 uprobes: Reject the shared zeropage in uprobe_write_opcode()

 We triggered the following crash in syzkaller tests:

   BUG: Bad page state in process syz.7.38  pfn:1eff3
   page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3
   flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)
   raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000
   raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
   page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
   Call Trace:
    <TASK>
    dump_stack_lvl+0x32/0x50
    bad_page+0x69/0xf0
    free_unref_page_prepare+0x401/0x500
    free_unref_page+0x6d/0x1b0
    uprobe_write_opcode+0x460/0x8e0
    install_breakpoint.part.0+0x51/0x80
    register_for_each_vma+0x1d9/0x2b0
    __uprobe_register+0x245/0x300
    bpf_uprobe_multi_link_attach+0x29b/0x4f0
    link_create+0x1e2/0x280
    __sys_bpf+0x75f/0xac0
    __x64_sys_bpf+0x1a/0x30
    do_syscall_64+0x56/0x100
    entry_SYSCALL_64_after_hwframe+0x78/0xe2

    BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1

 The following syzkaller test case can be used to reproduce:

   r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8)
   write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10)
   r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0)
   mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)
   r5 = userfaultfd(0x80801)
   ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20})
   r6 = userfaultfd(0x80801)
   ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140))
   ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})
   ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}})
   r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
   bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)

 The cause is that zero pfn is set to the PTE without increasing the RSS
 count in mfill_atomic_pte_zeropage() and the refcount of zero folio does
 not increase accordingly. Then, the operation on the same pfn is performed
 in uprobe_write_opcode()->__replace_page() to unconditional decrease the
 RSS count and old_folio's refcount.

 Therefore, two bugs are introduced:

  1. The RSS count is incorrect, when process exit, the check_mm() report
     error "Bad rss-count".

  2. The reserved folio (zero folio) is freed when folio->refcount is zero,
     then free_pages_prepare->free_page_is_bad() report error
     "Bad page state".

 There is more, the following warning could also theoretically be triggered:

   __replace_page()
     -> ...
       -> folio_remove_rmap_pte()
         -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio)

 Considering that uprobe hit on the zero folio is a very rare case, just
 reject zero old folio immediately after get_user_page_vma_remote().

 [ mingo: Cleaned up the changelog ]

 The Linux kernel CVE team has assigned CVE-2025-21881 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.1.130 with commit c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e
 	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.6.81 with commit 0b6f19714588cf2366b0364234f97ba963688f63
 	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.12.18 with commit 13cca2b73e2b0ec3ea6d6615d615395621d22752
 	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.13.6 with commit 54011fc94422f094eaf47555284de70a4bc32bb9
 	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.14 with commit bddf10d26e6e5114e7415a0e442ec6f51a559468

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21881
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/events/uprobes.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e
 	https://git.kernel.org/stable/c/0b6f19714588cf2366b0364234f97ba963688f63
 	https://git.kernel.org/stable/c/13cca2b73e2b0ec3ea6d6615d615395621d22752
 	https://git.kernel.org/stable/c/54011fc94422f094eaf47555284de70a4bc32bb9
 	https://git.kernel.org/stable/c/bddf10d26e6e5114e7415a0e442ec6f51a559468
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	uprobes: Reject the shared zeropage in uprobe_write_opcode()

	We triggered the following crash in syzkaller tests:

	BUG: Bad page state in process syz.7.38 pfn:1eff3
	page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3
	flags: 0x3fffff00004004(referenced\|reserved\|node=0\|zone=1\|lastcpupid=0x1fffff)
	raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000
	raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
	page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
	Call Trace:
	<TASK>
	dump_stack_lvl+0x32/0x50
	bad_page+0x69/0xf0
	free_unref_page_prepare+0x401/0x500
	free_unref_page+0x6d/0x1b0
	uprobe_write_opcode+0x460/0x8e0
	install_breakpoint.part.0+0x51/0x80
	register_for_each_vma+0x1d9/0x2b0
	__uprobe_register+0x245/0x300
	bpf_uprobe_multi_link_attach+0x29b/0x4f0
	link_create+0x1e2/0x280
	__sys_bpf+0x75f/0xac0
	__x64_sys_bpf+0x1a/0x30
	do_syscall_64+0x56/0x100
	entry_SYSCALL_64_after_hwframe+0x78/0xe2

	BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1

	The following syzkaller test case can be used to reproduce:

	r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8)
	write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10)
	r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0)
	mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)
	r5 = userfaultfd(0x80801)
	ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20})
	r6 = userfaultfd(0x80801)
	ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140))
	ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})
	ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}})
	r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
	bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)

	The cause is that zero pfn is set to the PTE without increasing the RSS
	count in mfill_atomic_pte_zeropage() and the refcount of zero folio does
	not increase accordingly. Then, the operation on the same pfn is performed
	in uprobe_write_opcode()->__replace_page() to unconditional decrease the
	RSS count and old_folio's refcount.

	Therefore, two bugs are introduced:

	1. The RSS count is incorrect, when process exit, the check_mm() report
	error "Bad rss-count".

	2. The reserved folio (zero folio) is freed when folio->refcount is zero,
	then free_pages_prepare->free_page_is_bad() report error
	"Bad page state".

	There is more, the following warning could also theoretically be triggered:

	__replace_page()
	-> ...
	-> folio_remove_rmap_pte()
	-> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio)

	Considering that uprobe hit on the zero folio is a very rare case, just
	reject zero old folio immediately after get_user_page_vma_remote().

	[ mingo: Cleaned up the changelog ]

	The Linux kernel CVE team has assigned CVE-2025-21881 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.1.130 with commit c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e
	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.6.81 with commit 0b6f19714588cf2366b0364234f97ba963688f63
	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.12.18 with commit 13cca2b73e2b0ec3ea6d6615d615395621d22752
	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.13.6 with commit 54011fc94422f094eaf47555284de70a4bc32bb9
	Issue introduced in 3.5 with commit 2b144498350860b6ee9dc57ff27a93ad488de5dc and fixed in 6.14 with commit bddf10d26e6e5114e7415a0e442ec6f51a559468

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21881
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/events/uprobes.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e
	https://git.kernel.org/stable/c/0b6f19714588cf2366b0364234f97ba963688f63
	https://git.kernel.org/stable/c/13cca2b73e2b0ec3ea6d6615d615395621d22752
	https://git.kernel.org/stable/c/54011fc94422f094eaf47555284de70a4bc32bb9
	https://git.kernel.org/stable/c/bddf10d26e6e5114e7415a0e442ec6f51a559468