CVE-2025-21932 (GCVE-0-2025-21932)
Vulnerability from cvelistv5
Published
2025-04-01 15:41
Modified
2025-05-04 07:24
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm: abort vma_modify() on merge out of memory failure The remainder of vma_modify() relies upon the vmg state remaining pristine after a merge attempt. Usually this is the case, however in the one edge case scenario of a merge attempt failing not due to the specified range being unmergeable, but rather due to an out of memory error arising when attempting to commit the merge, this assumption becomes untrue. This results in vmg->start, end being modified, and thus the proceeding attempts to split the VMA will be done with invalid start/end values. Thankfully, it is likely practically impossible for us to hit this in reality, as it would require a maple tree node pre-allocation failure that would likely never happen due to it being 'too small to fail', i.e. the kernel would simply keep retrying reclaim until it succeeded. However, this scenario remains theoretically possible, and what we are doing here is wrong so we must correct it. The safest option is, when this scenario occurs, to simply give up the operation. If we cannot allocate memory to merge, then we cannot allocate memory to split either (perhaps moreso!). Any scenario where this would be happening would be under very extreme (likely fatal) memory pressure, so it's best we give up early. So there is no doubt it is appropriate to simply bail out in this scenario. However, in general we must if at all possible never assume VMG state is stable after a merge attempt, since merge operations update VMG fields. As a result, additionally also make this clear by storing start, end in local variables. The issue was reported originally by syzkaller, and by Brad Spengler (via an off-list discussion), and in both instances it manifested as a triggering of the assert: VM_WARN_ON_VMG(start >= end, vmg); In vma_merge_existing_range(). It seems at least one scenario in which this is occurring is one in which the merge being attempted is due to an madvise() across multiple VMAs which looks like this: start end |<------>| |----------|------| | vma | next | |----------|------| When madvise_walk_vmas() is invoked, we first find vma in the above (determining prev to be equal to vma as we are offset into vma), and then enter the loop. We determine the end of vma that forms part of the range we are madvise()'ing by setting 'tmp' to this value: /* Here vma->vm_start <= start < (end|vma->vm_end) */ tmp = vma->vm_end; We then invoke the madvise() operation via visit(), letting prev get updated to point to vma as part of the operation: /* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */ error = visit(vma, &prev, start, tmp, arg); Where the visit() function pointer in this instance is madvise_vma_behavior(). As observed in syzkaller reports, it is ultimately madvise_update_vma() that is invoked, calling vma_modify_flags_name() and vma_modify() in turn. Then, in vma_modify(), we attempt the merge: merged = vma_merge_existing_range(vmg); if (merged) return merged; We invoke this with vmg->start, end set to start, tmp as such: start tmp |<--->| |----------|------| | vma | next | |----------|------| We find ourselves in the merge right scenario, but the one in which we cannot remove the middle (we are offset into vma). Here we have a special case where vmg->start, end get set to perhaps unintuitive values - we intended to shrink the middle VMA and expand the next. This means vmg->start, end are set to... vma->vm_start, start. Now the commit_merge() fails, and vmg->start, end are left like this. This means we return to the rest of vma_modify() with vmg->start, end (here denoted as start', end') set as: start' end' |<-->| |----------|------| | vma | next | |----------|------| So we now erroneously try to split accordingly. This is where the unfortunate ---truncated---
References
Impacted products
Vendor Product Version
Linux Linux Version: 2f1c6611b0a89afcb8641471af5f223c9caa01e0
Version: 2f1c6611b0a89afcb8641471af5f223c9caa01e0
Version: 2f1c6611b0a89afcb8641471af5f223c9caa01e0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/vma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "79636d2981b066acd945117387a9533f56411f6f",
              "status": "affected",
              "version": "2f1c6611b0a89afcb8641471af5f223c9caa01e0",
              "versionType": "git"
            },
            {
              "lessThan": "53fd215f7886a1e8dea5a9ca1391dbb697fff601",
              "status": "affected",
              "version": "2f1c6611b0a89afcb8641471af5f223c9caa01e0",
              "versionType": "git"
            },
            {
              "lessThan": "47b16d0462a460000b8f05dfb1292377ac48f3ca",
              "status": "affected",
              "version": "2f1c6611b0a89afcb8641471af5f223c9caa01e0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/vma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: abort vma_modify() on merge out of memory failure\n\nThe remainder of vma_modify() relies upon the vmg state remaining pristine\nafter a merge attempt.\n\nUsually this is the case, however in the one edge case scenario of a merge\nattempt failing not due to the specified range being unmergeable, but\nrather due to an out of memory error arising when attempting to commit the\nmerge, this assumption becomes untrue.\n\nThis results in vmg-\u003estart, end being modified, and thus the proceeding\nattempts to split the VMA will be done with invalid start/end values.\n\nThankfully, it is likely practically impossible for us to hit this in\nreality, as it would require a maple tree node pre-allocation failure that\nwould likely never happen due to it being \u0027too small to fail\u0027, i.e.  the\nkernel would simply keep retrying reclaim until it succeeded.\n\nHowever, this scenario remains theoretically possible, and what we are\ndoing here is wrong so we must correct it.\n\nThe safest option is, when this scenario occurs, to simply give up the\noperation.  If we cannot allocate memory to merge, then we cannot allocate\nmemory to split either (perhaps moreso!).\n\nAny scenario where this would be happening would be under very extreme\n(likely fatal) memory pressure, so it\u0027s best we give up early.\n\nSo there is no doubt it is appropriate to simply bail out in this\nscenario.\n\nHowever, in general we must if at all possible never assume VMG state is\nstable after a merge attempt, since merge operations update VMG fields. \nAs a result, additionally also make this clear by storing start, end in\nlocal variables.\n\nThe issue was reported originally by syzkaller, and by Brad Spengler (via\nan off-list discussion), and in both instances it manifested as a\ntriggering of the assert:\n\n\tVM_WARN_ON_VMG(start \u003e= end, vmg);\n\nIn vma_merge_existing_range().\n\nIt seems at least one scenario in which this is occurring is one in which\nthe merge being attempted is due to an madvise() across multiple VMAs\nwhich looks like this:\n\n        start     end\n          |\u003c------\u003e|\n     |----------|------|\n     |   vma    | next |\n     |----------|------|\n\nWhen madvise_walk_vmas() is invoked, we first find vma in the above\n(determining prev to be equal to vma as we are offset into vma), and then\nenter the loop.\n\nWe determine the end of vma that forms part of the range we are\nmadvise()\u0027ing by setting \u0027tmp\u0027 to this value:\n\n\t\t/* Here vma-\u003evm_start \u003c= start \u003c (end|vma-\u003evm_end) */\n\t\ttmp = vma-\u003evm_end;\n\nWe then invoke the madvise() operation via visit(), letting prev get\nupdated to point to vma as part of the operation:\n\n\t\t/* Here vma-\u003evm_start \u003c= start \u003c tmp \u003c= (end|vma-\u003evm_end). */\n\t\terror = visit(vma, \u0026prev, start, tmp, arg);\n\nWhere the visit() function pointer in this instance is\nmadvise_vma_behavior().\n\nAs observed in syzkaller reports, it is ultimately madvise_update_vma()\nthat is invoked, calling vma_modify_flags_name() and vma_modify() in turn.\n\nThen, in vma_modify(), we attempt the merge:\n\n\tmerged = vma_merge_existing_range(vmg);\n\tif (merged)\n\t\treturn merged;\n\nWe invoke this with vmg-\u003estart, end set to start, tmp as such:\n\n        start  tmp\n          |\u003c---\u003e|\n     |----------|------|\n     |   vma    | next |\n     |----------|------|\n\nWe find ourselves in the merge right scenario, but the one in which we\ncannot remove the middle (we are offset into vma).\n\nHere we have a special case where vmg-\u003estart, end get set to perhaps\nunintuitive values - we intended to shrink the middle VMA and expand the\nnext.\n\nThis means vmg-\u003estart, end are set to...  vma-\u003evm_start, start.\n\nNow the commit_merge() fails, and vmg-\u003estart, end are left like this. \nThis means we return to the rest of vma_modify() with vmg-\u003estart, end\n(here denoted as start\u0027, end\u0027) set as:\n\n  start\u0027 end\u0027\n     |\u003c--\u003e|\n     |----------|------|\n     |   vma    | next |\n     |----------|------|\n\nSo we now erroneously try to split accordingly.  This is where the\nunfortunate\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:51.264Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/79636d2981b066acd945117387a9533f56411f6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/53fd215f7886a1e8dea5a9ca1391dbb697fff601"
        },
        {
          "url": "https://git.kernel.org/stable/c/47b16d0462a460000b8f05dfb1292377ac48f3ca"
        }
      ],
      "title": "mm: abort vma_modify() on merge out of memory failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21932",
    "datePublished": "2025-04-01T15:41:01.792Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-05-04T07:24:51.264Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21932\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:24.040\",\"lastModified\":\"2025-04-01T20:26:01.990\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: abort vma_modify() on merge out of memory failure\\n\\nThe remainder of vma_modify() relies upon the vmg state remaining pristine\\nafter a merge attempt.\\n\\nUsually this is the case, however in the one edge case scenario of a merge\\nattempt failing not due to the specified range being unmergeable, but\\nrather due to an out of memory error arising when attempting to commit the\\nmerge, this assumption becomes untrue.\\n\\nThis results in vmg-\u003estart, end being modified, and thus the proceeding\\nattempts to split the VMA will be done with invalid start/end values.\\n\\nThankfully, it is likely practically impossible for us to hit this in\\nreality, as it would require a maple tree node pre-allocation failure that\\nwould likely never happen due to it being \u0027too small to fail\u0027, i.e.  the\\nkernel would simply keep retrying reclaim until it succeeded.\\n\\nHowever, this scenario remains theoretically possible, and what we are\\ndoing here is wrong so we must correct it.\\n\\nThe safest option is, when this scenario occurs, to simply give up the\\noperation.  If we cannot allocate memory to merge, then we cannot allocate\\nmemory to split either (perhaps moreso!).\\n\\nAny scenario where this would be happening would be under very extreme\\n(likely fatal) memory pressure, so it\u0027s best we give up early.\\n\\nSo there is no doubt it is appropriate to simply bail out in this\\nscenario.\\n\\nHowever, in general we must if at all possible never assume VMG state is\\nstable after a merge attempt, since merge operations update VMG fields. \\nAs a result, additionally also make this clear by storing start, end in\\nlocal variables.\\n\\nThe issue was reported originally by syzkaller, and by Brad Spengler (via\\nan off-list discussion), and in both instances it manifested as a\\ntriggering of the assert:\\n\\n\\tVM_WARN_ON_VMG(start \u003e= end, vmg);\\n\\nIn vma_merge_existing_range().\\n\\nIt seems at least one scenario in which this is occurring is one in which\\nthe merge being attempted is due to an madvise() across multiple VMAs\\nwhich looks like this:\\n\\n        start     end\\n          |\u003c------\u003e|\\n     |----------|------|\\n     |   vma    | next |\\n     |----------|------|\\n\\nWhen madvise_walk_vmas() is invoked, we first find vma in the above\\n(determining prev to be equal to vma as we are offset into vma), and then\\nenter the loop.\\n\\nWe determine the end of vma that forms part of the range we are\\nmadvise()\u0027ing by setting \u0027tmp\u0027 to this value:\\n\\n\\t\\t/* Here vma-\u003evm_start \u003c= start \u003c (end|vma-\u003evm_end) */\\n\\t\\ttmp = vma-\u003evm_end;\\n\\nWe then invoke the madvise() operation via visit(), letting prev get\\nupdated to point to vma as part of the operation:\\n\\n\\t\\t/* Here vma-\u003evm_start \u003c= start \u003c tmp \u003c= (end|vma-\u003evm_end). */\\n\\t\\terror = visit(vma, \u0026prev, start, tmp, arg);\\n\\nWhere the visit() function pointer in this instance is\\nmadvise_vma_behavior().\\n\\nAs observed in syzkaller reports, it is ultimately madvise_update_vma()\\nthat is invoked, calling vma_modify_flags_name() and vma_modify() in turn.\\n\\nThen, in vma_modify(), we attempt the merge:\\n\\n\\tmerged = vma_merge_existing_range(vmg);\\n\\tif (merged)\\n\\t\\treturn merged;\\n\\nWe invoke this with vmg-\u003estart, end set to start, tmp as such:\\n\\n        start  tmp\\n          |\u003c---\u003e|\\n     |----------|------|\\n     |   vma    | next |\\n     |----------|------|\\n\\nWe find ourselves in the merge right scenario, but the one in which we\\ncannot remove the middle (we are offset into vma).\\n\\nHere we have a special case where vmg-\u003estart, end get set to perhaps\\nunintuitive values - we intended to shrink the middle VMA and expand the\\nnext.\\n\\nThis means vmg-\u003estart, end are set to...  vma-\u003evm_start, start.\\n\\nNow the commit_merge() fails, and vmg-\u003estart, end are left like this. \\nThis means we return to the rest of vma_modify() with vmg-\u003estart, end\\n(here denoted as start\u0027, end\u0027) set as:\\n\\n  start\u0027 end\u0027\\n     |\u003c--\u003e|\\n     |----------|------|\\n     |   vma    | next |\\n     |----------|------|\\n\\nSo we now erroneously try to split accordingly.  This is where the\\nunfortunate\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: abortar vma_modify() en caso de fallo de memoria insuficiente en la fusi\u00f3n. El resto de vma_modify() depende de que el estado de vmg permanezca intacto tras un intento de fusi\u00f3n. Normalmente, este es el caso; sin embargo, en el caso extremo de que un intento de fusi\u00f3n falle no porque el rango especificado no se pueda fusionar, sino debido a un error de memoria insuficiente al intentar confirmar la fusi\u00f3n, esta suposici\u00f3n se vuelve falsa. Esto da como resultado que vmg-\u0026gt;start, end se modifique y, por lo tanto, los intentos posteriores de dividir el VMA se realizar\u00e1n con valores de inicio/fin no v\u00e1lidos. Afortunadamente, es pr\u00e1cticamente imposible que logremos esto en la realidad, ya que requerir\u00eda un fallo de preasignaci\u00f3n de nodos del \u00e1rbol de maple que probablemente nunca ocurrir\u00eda por ser \\\"demasiado peque\u00f1o para fallar\\\", es decir, el kernel simplemente seguir\u00eda reintentando la recuperaci\u00f3n hasta que tuviera \u00e9xito. Sin embargo, este escenario sigue siendo te\u00f3ricamente posible, y lo que estamos haciendo aqu\u00ed es incorrecto, por lo que debemos corregirlo. La opci\u00f3n m\u00e1s segura, cuando ocurre este escenario, es simplemente abandonar la operaci\u00f3n. Si no podemos asignar memoria para la fusi\u00f3n, tampoco podemos asignar memoria para la divisi\u00f3n (\u00a1quiz\u00e1s incluso m\u00e1s!). Cualquier escenario donde esto ocurra estar\u00eda bajo una presi\u00f3n de memoria muy extrema (probablemente fatal), por lo que es mejor abandonar pronto. Por lo tanto, no hay duda de que es apropiado simplemente abandonar en este escenario. Sin embargo, en general, si es posible, nunca debemos asumir que el estado de VMG es estable despu\u00e9s de un intento de fusi\u00f3n, ya que las operaciones de fusi\u00f3n actualizan los campos de VMG. Como resultado, tambi\u00e9n debemos aclarar esto almacenando inicio y fin en variables locales. El problema fue reportado originalmente por syzkaller y por Brad Spengler (a trav\u00e9s de una discusi\u00f3n fuera de la lista), y en ambos casos se manifest\u00f3 como una activaci\u00f3n de la aserci\u00f3n: VM_WARN_ON_VMG(start \u0026gt;= end, vmg); In vma_merge_existing_range(). Parece que al menos un escenario en el que esto ocurre es uno en el que la fusi\u00f3n que se intenta se debe a una funci\u00f3n madvise() en m\u00faltiples VMA, con este aspecto: inicio fin |\u0026lt;------\u0026gt;| |----------|------| | vma | siguiente | |----------|------| Cuando se invoca madvise_walk_vmas(), primero encontramos vma en lo anterior (determinando que prev sea igual a vma, ya que estamos desplazados hacia vma) y luego entramos en el bucle. Determinamos el final de vma que forma parte del rango que estamos ejecutando con madvise() estableciendo \u0027tmp\u0027 en este valor: /* Aqu\u00ed vma-\u0026gt;vm_start \u0026lt;= start \u0026lt; (end|vma-\u0026gt;vm_end) */ tmp = vma-\u0026gt;vm_end; Luego invocamos la operaci\u00f3n madvise() a trav\u00e9s de visit(), permitiendo que prev se actualice para apuntar a vma como parte de la operaci\u00f3n: /* Aqu\u00ed vma-\u0026gt;vm_start \u0026lt;= start \u0026lt; tmp \u0026lt;= (end|vma-\u0026gt;vm_end). */ error = visit(vma, \u0026amp;prev, start, tmp, arg); Donde el puntero de la funci\u00f3n visit() en esta instancia es madvise_vma_behavior(). Como se observa en los informes de syzkaller, en \u00faltima instancia es madvise_update_vma() el que se invoca, llamando a vma_modify_flags_name() y vma_modify() a su vez. Luego, en vma_modify(), intentamos la fusi\u00f3n: merged = vma_merge_existing_range(vmg); if (merged) return merged; Invocamos esto con vmg-\u0026gt;start, end establecido en start, tmp como tal: start tmp |\u0026lt;---\u0026gt;| |----------|------| | vma | next | |----------|------| Nos encontramos en el escenario correcto de fusi\u00f3n, pero en el que no podemos eliminar la parte central (estamos desplazados hacia vma). Aqu\u00ed tenemos un caso especial donde vmg-\u0026gt;start, end se establecen en valores quiz\u00e1s poco intuitivos: pretend\u00edamos reducir la VMA central y expandir la siguiente. Esto significa que vmg-\u0026gt;start, end se establecen en... vma-\u0026gt;vm_start, start. Ahora, commit_merge() falla y vmg-\u0026gt;start, end se mantienen as\u00ed. Esto significa que volvemos al resto de vma_modify() ---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/47b16d0462a460000b8f05dfb1292377ac48f3ca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/53fd215f7886a1e8dea5a9ca1391dbb697fff601\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/79636d2981b066acd945117387a9533f56411f6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.