cve/published/2025/CVE-2025-37779.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37779: lib/iov_iter: fix to increase non slab folio refcount

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 lib/iov_iter: fix to increase non slab folio refcount

 When testing EROFS file-backed mount over v9fs on qemu, I encountered a
 folio UAF issue.  The page sanity check reports the following call trace.
 The root cause is that pages in bvec are coalesced across a folio bounary.
 The refcount of all non-slab folios should be increased to ensure
 p9_releas_pages can put them correctly.

 BUG: Bad page state in process md5sum  pfn:18300
 page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300
 head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 aops:z_erofs_aops ino:30b0f dentry name(?):"GoogleExtServicesCn.apk"
 flags: 0x100000000000041(locked|head|node=0|zone=1)
 raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
 raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
 head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
 head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
 head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000
 head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000
 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
 Call Trace:
  dump_stack_lvl+0x53/0x70
  bad_page+0xd4/0x220
  __free_pages_ok+0x76d/0xf30
  __folio_put+0x230/0x320
  p9_release_pages+0x179/0x1f0
  p9_virtio_zc_request+0xa2a/0x1230
  p9_client_zc_rpc.constprop.0+0x247/0x700
  p9_client_read_once+0x34d/0x810
  p9_client_read+0xf3/0x150
  v9fs_issue_read+0x111/0x360
  netfs_unbuffered_read_iter_locked+0x927/0x1390
  netfs_unbuffered_read_iter+0xa2/0xe0
  vfs_iocb_iter_read+0x2c7/0x460
  erofs_fileio_rq_submit+0x46b/0x5b0
  z_erofs_runqueue+0x1203/0x21e0
  z_erofs_readahead+0x579/0x8b0
  read_pages+0x19f/0xa70
  page_cache_ra_order+0x4ad/0xb80
  filemap_readahead.isra.0+0xe7/0x150
  filemap_get_pages+0x7aa/0x1890
  filemap_read+0x320/0xc80
  vfs_read+0x6c6/0xa30
  ksys_read+0xf9/0x1c0
  do_syscall_64+0x9e/0x1a0
  entry_SYSCALL_64_after_hwframe+0x71/0x79

 The Linux kernel CVE team has assigned CVE-2025-37779 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.14 with commit b9c0e49abfca06f1a109acea834bcfc934f33f76 and fixed in 6.14.4 with commit d833f21162c4d536d729628f8cf1ee8d4110f2b7
 	Issue introduced in 6.14 with commit b9c0e49abfca06f1a109acea834bcfc934f33f76 and fixed in 6.15 with commit 770c8d55c42868239c748a3ebc57c9e37755f842

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37779
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	lib/iov_iter.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d833f21162c4d536d729628f8cf1ee8d4110f2b7
 	https://git.kernel.org/stable/c/770c8d55c42868239c748a3ebc57c9e37755f842
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37779: lib/iov_iter: fix to increase non slab folio refcount

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	lib/iov_iter: fix to increase non slab folio refcount

	When testing EROFS file-backed mount over v9fs on qemu, I encountered a
	folio UAF issue. The page sanity check reports the following call trace.
	The root cause is that pages in bvec are coalesced across a folio bounary.
	The refcount of all non-slab folios should be increased to ensure
	p9_releas_pages can put them correctly.

	BUG: Bad page state in process md5sum pfn:18300
	page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300
	head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
	aops:z_erofs_aops ino:30b0f dentry name(?):"GoogleExtServicesCn.apk"
	flags: 0x100000000000041(locked\|head\|node=0\|zone=1)
	raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
	raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
	head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
	head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
	head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000
	head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000
	page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
	Call Trace:
	dump_stack_lvl+0x53/0x70
	bad_page+0xd4/0x220
	__free_pages_ok+0x76d/0xf30
	__folio_put+0x230/0x320
	p9_release_pages+0x179/0x1f0
	p9_virtio_zc_request+0xa2a/0x1230
	p9_client_zc_rpc.constprop.0+0x247/0x700
	p9_client_read_once+0x34d/0x810
	p9_client_read+0xf3/0x150
	v9fs_issue_read+0x111/0x360
	netfs_unbuffered_read_iter_locked+0x927/0x1390
	netfs_unbuffered_read_iter+0xa2/0xe0
	vfs_iocb_iter_read+0x2c7/0x460
	erofs_fileio_rq_submit+0x46b/0x5b0
	z_erofs_runqueue+0x1203/0x21e0
	z_erofs_readahead+0x579/0x8b0
	read_pages+0x19f/0xa70
	page_cache_ra_order+0x4ad/0xb80
	filemap_readahead.isra.0+0xe7/0x150
	filemap_get_pages+0x7aa/0x1890
	filemap_read+0x320/0xc80
	vfs_read+0x6c6/0xa30
	ksys_read+0xf9/0x1c0
	do_syscall_64+0x9e/0x1a0
	entry_SYSCALL_64_after_hwframe+0x71/0x79

	The Linux kernel CVE team has assigned CVE-2025-37779 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.14 with commit b9c0e49abfca06f1a109acea834bcfc934f33f76 and fixed in 6.14.4 with commit d833f21162c4d536d729628f8cf1ee8d4110f2b7
	Issue introduced in 6.14 with commit b9c0e49abfca06f1a109acea834bcfc934f33f76 and fixed in 6.15 with commit 770c8d55c42868239c748a3ebc57c9e37755f842

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37779
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	lib/iov_iter.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d833f21162c4d536d729628f8cf1ee8d4110f2b7
	https://git.kernel.org/stable/c/770c8d55c42868239c748a3ebc57c9e37755f842