cve/published/2025/CVE-2025-37960.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 memblock: Accept allocated memory before use in memblock_double_array()

 When increasing the array size in memblock_double_array() and the slab
 is not yet available, a call to memblock_find_in_range() is used to
 reserve/allocate memory. However, the range returned may not have been
 accepted, which can result in a crash when booting an SNP guest:

   RIP: 0010:memcpy_orig+0x68/0x130
   Code: ...
   RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006
   RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000
   RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00
   RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000
   R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78
   R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00
   memblock_double_array+0xff/0x310
   memblock_add_range+0x1fb/0x2f0
   memblock_reserve+0x4f/0xa0
   memblock_alloc_range_nid+0xac/0x130
   memblock_alloc_internal+0x53/0xc0
   memblock_alloc_try_nid+0x3d/0xa0
   swiotlb_init_remap+0x149/0x2f0
   mem_init+0xb/0xb0
   mm_core_init+0x8f/0x350
   start_kernel+0x17e/0x5d0
   x86_64_start_reservations+0x14/0x30
   x86_64_start_kernel+0x92/0xa0
   secondary_startup_64_no_verify+0x194/0x19b

 Mitigate this by calling accept_memory() on the memory range returned
 before the slab is available.

 Prior to v6.12, the accept_memory() interface used a 'start' and 'end'
 parameter instead of 'start' and 'size', therefore the accept_memory()
 call must be adjusted to specify 'start + size' for 'end' when applying
 to kernels prior to v6.12.

 The Linux kernel CVE team has assigned CVE-2025-37960 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.5 with commit dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 and fixed in 6.6.92 with commit 7bcd29181bab8d508d2adfdbb132de8b1e088698
 	Issue introduced in 6.5 with commit dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 and fixed in 6.12.29 with commit d66a22f6a432a9dd376c9b365d7dc89bd416909c
 	Issue introduced in 6.5 with commit dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 and fixed in 6.14.7 with commit aa513e69e011a2b19fa22ce62ce35effbd5e0c81
 	Issue introduced in 6.5 with commit dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 and fixed in 6.15 with commit da8bf5daa5e55a6af2b285ecda460d6454712ff4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37960
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/memblock.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7bcd29181bab8d508d2adfdbb132de8b1e088698
 	https://git.kernel.org/stable/c/d66a22f6a432a9dd376c9b365d7dc89bd416909c
 	https://git.kernel.org/stable/c/aa513e69e011a2b19fa22ce62ce35effbd5e0c81
 	https://git.kernel.org/stable/c/da8bf5daa5e55a6af2b285ecda460d6454712ff4
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	memblock: Accept allocated memory before use in memblock_double_array()

	When increasing the array size in memblock_double_array() and the slab
	is not yet available, a call to memblock_find_in_range() is used to
	reserve/allocate memory. However, the range returned may not have been
	accepted, which can result in a crash when booting an SNP guest:

	RIP: 0010:memcpy_orig+0x68/0x130
	Code: ...
	RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006
	RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000
	RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00
	RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000
	R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78
	R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00
	memblock_double_array+0xff/0x310
	memblock_add_range+0x1fb/0x2f0
	memblock_reserve+0x4f/0xa0
	memblock_alloc_range_nid+0xac/0x130
	memblock_alloc_internal+0x53/0xc0
	memblock_alloc_try_nid+0x3d/0xa0
	swiotlb_init_remap+0x149/0x2f0
	mem_init+0xb/0xb0
	mm_core_init+0x8f/0x350
	start_kernel+0x17e/0x5d0
	x86_64_start_reservations+0x14/0x30
	x86_64_start_kernel+0x92/0xa0
	secondary_startup_64_no_verify+0x194/0x19b

	Mitigate this by calling accept_memory() on the memory range returned
	before the slab is available.

	Prior to v6.12, the accept_memory() interface used a 'start' and 'end'
	parameter instead of 'start' and 'size', therefore the accept_memory()
	call must be adjusted to specify 'start + size' for 'end' when applying
	to kernels prior to v6.12.

	The Linux kernel CVE team has assigned CVE-2025-37960 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.5 with commit dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 and fixed in 6.6.92 with commit 7bcd29181bab8d508d2adfdbb132de8b1e088698
	Issue introduced in 6.5 with commit dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 and fixed in 6.12.29 with commit d66a22f6a432a9dd376c9b365d7dc89bd416909c
	Issue introduced in 6.5 with commit dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 and fixed in 6.14.7 with commit aa513e69e011a2b19fa22ce62ce35effbd5e0c81
	Issue introduced in 6.5 with commit dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 and fixed in 6.15 with commit da8bf5daa5e55a6af2b285ecda460d6454712ff4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37960
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/memblock.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7bcd29181bab8d508d2adfdbb132de8b1e088698
	https://git.kernel.org/stable/c/d66a22f6a432a9dd376c9b365d7dc89bd416909c
	https://git.kernel.org/stable/c/aa513e69e011a2b19fa22ce62ce35effbd5e0c81
	https://git.kernel.org/stable/c/da8bf5daa5e55a6af2b285ecda460d6454712ff4