CVE-2025-21949 (GCVE-0-2025-21949)
Vulnerability from cvelistv5
Published
2025-04-01 15:41
Modified
2025-05-04 07:25
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Set hugetlb mmap base address aligned with pmd size With ltp test case "testcases/bin/hugefork02", there is a dmesg error report message such as: kernel BUG at mm/hugetlb.c:5550! Oops - BUG[#1]: CPU: 0 UID: 0 PID: 1517 Comm: hugefork02 Not tainted 6.14.0-rc2+ #241 Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 pc 90000000004eaf1c ra 9000000000485538 tp 900000010edbc000 sp 900000010edbf940 a0 900000010edbfb00 a1 9000000108d20280 a2 00007fffe9474000 a3 00007ffff3474000 a4 0000000000000000 a5 0000000000000003 a6 00000000003cadd3 a7 0000000000000000 t0 0000000001ffffff t1 0000000001474000 t2 900000010ecd7900 t3 00007fffe9474000 t4 00007fffe9474000 t5 0000000000000040 t6 900000010edbfb00 t7 0000000000000001 t8 0000000000000005 u0 90000000004849d0 s9 900000010edbfa00 s0 9000000108d20280 s1 00007fffe9474000 s2 0000000002000000 s3 9000000108d20280 s4 9000000002b38b10 s5 900000010edbfb00 s6 00007ffff3474000 s7 0000000000000406 s8 900000010edbfa08 ra: 9000000000485538 unmap_vmas+0x130/0x218 ERA: 90000000004eaf1c __unmap_hugepage_range+0x6f4/0x7d0 PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0) PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) Process hugefork02 (pid: 1517, threadinfo=00000000a670eaf4, task=000000007a95fc64) Call Trace: [<90000000004eaf1c>] __unmap_hugepage_range+0x6f4/0x7d0 [<9000000000485534>] unmap_vmas+0x12c/0x218 [<9000000000494068>] exit_mmap+0xe0/0x308 [<900000000025fdc4>] mmput+0x74/0x180 [<900000000026a284>] do_exit+0x294/0x898 [<900000000026aa30>] do_group_exit+0x30/0x98 [<900000000027bed4>] get_signal+0x83c/0x868 [<90000000002457b4>] arch_do_signal_or_restart+0x54/0xfa0 [<90000000015795e8>] irqentry_exit_to_user_mode+0xb8/0x138 [<90000000002572d0>] tlb_do_page_fault_1+0x114/0x1b4 The problem is that base address allocated from hugetlbfs is not aligned with pmd size. Here add a checking for hugetlbfs and align base address with pmd size. After this patch the test case "testcases/bin/hugefork02" passes to run. This is similar to the commit 7f24cbc9c4d42db8a3c8484d1 ("mm/mmap: teach generic_get_unmapped_area{_topdown} to handle hugetlb mappings").
References
Impacted products
Vendor Product Version
Linux Linux Version: fa96b57c149061f71a70bd6582d995f6424fbbf4
Version: fa96b57c149061f71a70bd6582d995f6424fbbf4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/loongarch/mm/mmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "242b34f48a377afe4b285b472bd0f17744fca8e8",
              "status": "affected",
              "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4",
              "versionType": "git"
            },
            {
              "lessThan": "3109d5ff484b7bc7b955f166974c6776d91f247b",
              "status": "affected",
              "version": "fa96b57c149061f71a70bd6582d995f6424fbbf4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/loongarch/mm/mmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Set hugetlb mmap base address aligned with pmd size\n\nWith ltp test case \"testcases/bin/hugefork02\", there is a dmesg error\nreport message such as:\n\n kernel BUG at mm/hugetlb.c:5550!\n Oops - BUG[#1]:\n CPU: 0 UID: 0 PID: 1517 Comm: hugefork02 Not tainted 6.14.0-rc2+ #241\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n pc 90000000004eaf1c ra 9000000000485538 tp 900000010edbc000 sp 900000010edbf940\n a0 900000010edbfb00 a1 9000000108d20280 a2 00007fffe9474000 a3 00007ffff3474000\n a4 0000000000000000 a5 0000000000000003 a6 00000000003cadd3 a7 0000000000000000\n t0 0000000001ffffff t1 0000000001474000 t2 900000010ecd7900 t3 00007fffe9474000\n t4 00007fffe9474000 t5 0000000000000040 t6 900000010edbfb00 t7 0000000000000001\n t8 0000000000000005 u0 90000000004849d0 s9 900000010edbfa00 s0 9000000108d20280\n s1 00007fffe9474000 s2 0000000002000000 s3 9000000108d20280 s4 9000000002b38b10\n s5 900000010edbfb00 s6 00007ffff3474000 s7 0000000000000406 s8 900000010edbfa08\n    ra: 9000000000485538 unmap_vmas+0x130/0x218\n   ERA: 90000000004eaf1c __unmap_hugepage_range+0x6f4/0x7d0\n  PRMD: 00000004 (PPLV0 +PIE -PWE)\n  EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n  ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n Process hugefork02 (pid: 1517, threadinfo=00000000a670eaf4, task=000000007a95fc64)\n Call Trace:\n [\u003c90000000004eaf1c\u003e] __unmap_hugepage_range+0x6f4/0x7d0\n [\u003c9000000000485534\u003e] unmap_vmas+0x12c/0x218\n [\u003c9000000000494068\u003e] exit_mmap+0xe0/0x308\n [\u003c900000000025fdc4\u003e] mmput+0x74/0x180\n [\u003c900000000026a284\u003e] do_exit+0x294/0x898\n [\u003c900000000026aa30\u003e] do_group_exit+0x30/0x98\n [\u003c900000000027bed4\u003e] get_signal+0x83c/0x868\n [\u003c90000000002457b4\u003e] arch_do_signal_or_restart+0x54/0xfa0\n [\u003c90000000015795e8\u003e] irqentry_exit_to_user_mode+0xb8/0x138\n [\u003c90000000002572d0\u003e] tlb_do_page_fault_1+0x114/0x1b4\n\nThe problem is that base address allocated from hugetlbfs is not aligned\nwith pmd size. Here add a checking for hugetlbfs and align base address\nwith pmd size. After this patch the test case \"testcases/bin/hugefork02\"\npasses to run.\n\nThis is similar to the commit 7f24cbc9c4d42db8a3c8484d1 (\"mm/mmap: teach\ngeneric_get_unmapped_area{_topdown} to handle hugetlb mappings\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:29.369Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/242b34f48a377afe4b285b472bd0f17744fca8e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/3109d5ff484b7bc7b955f166974c6776d91f247b"
        }
      ],
      "title": "LoongArch: Set hugetlb mmap base address aligned with pmd size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21949",
    "datePublished": "2025-04-01T15:41:10.451Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-05-04T07:25:29.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21949\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:26.067\",\"lastModified\":\"2025-04-11T13:11:06.313\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nLoongArch: Set hugetlb mmap base address aligned with pmd size\\n\\nWith ltp test case \\\"testcases/bin/hugefork02\\\", there is a dmesg error\\nreport message such as:\\n\\n kernel BUG at mm/hugetlb.c:5550!\\n Oops - BUG[#1]:\\n CPU: 0 UID: 0 PID: 1517 Comm: hugefork02 Not tainted 6.14.0-rc2+ #241\\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\\n pc 90000000004eaf1c ra 9000000000485538 tp 900000010edbc000 sp 900000010edbf940\\n a0 900000010edbfb00 a1 9000000108d20280 a2 00007fffe9474000 a3 00007ffff3474000\\n a4 0000000000000000 a5 0000000000000003 a6 00000000003cadd3 a7 0000000000000000\\n t0 0000000001ffffff t1 0000000001474000 t2 900000010ecd7900 t3 00007fffe9474000\\n t4 00007fffe9474000 t5 0000000000000040 t6 900000010edbfb00 t7 0000000000000001\\n t8 0000000000000005 u0 90000000004849d0 s9 900000010edbfa00 s0 9000000108d20280\\n s1 00007fffe9474000 s2 0000000002000000 s3 9000000108d20280 s4 9000000002b38b10\\n s5 900000010edbfb00 s6 00007ffff3474000 s7 0000000000000406 s8 900000010edbfa08\\n    ra: 9000000000485538 unmap_vmas+0x130/0x218\\n   ERA: 90000000004eaf1c __unmap_hugepage_range+0x6f4/0x7d0\\n  PRMD: 00000004 (PPLV0 +PIE -PWE)\\n  EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\\n  ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\\n ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\\n Process hugefork02 (pid: 1517, threadinfo=00000000a670eaf4, task=000000007a95fc64)\\n Call Trace:\\n [\u003c90000000004eaf1c\u003e] __unmap_hugepage_range+0x6f4/0x7d0\\n [\u003c9000000000485534\u003e] unmap_vmas+0x12c/0x218\\n [\u003c9000000000494068\u003e] exit_mmap+0xe0/0x308\\n [\u003c900000000025fdc4\u003e] mmput+0x74/0x180\\n [\u003c900000000026a284\u003e] do_exit+0x294/0x898\\n [\u003c900000000026aa30\u003e] do_group_exit+0x30/0x98\\n [\u003c900000000027bed4\u003e] get_signal+0x83c/0x868\\n [\u003c90000000002457b4\u003e] arch_do_signal_or_restart+0x54/0xfa0\\n [\u003c90000000015795e8\u003e] irqentry_exit_to_user_mode+0xb8/0x138\\n [\u003c90000000002572d0\u003e] tlb_do_page_fault_1+0x114/0x1b4\\n\\nThe problem is that base address allocated from hugetlbfs is not aligned\\nwith pmd size. Here add a checking for hugetlbfs and align base address\\nwith pmd size. After this patch the test case \\\"testcases/bin/hugefork02\\\"\\npasses to run.\\n\\nThis is similar to the commit 7f24cbc9c4d42db8a3c8484d1 (\\\"mm/mmap: teach\\ngeneric_get_unmapped_area{_topdown} to handle hugetlb mappings\\\").\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: LoongArch: Establecer la direcci\u00f3n base mmap de hugetlb alineada con el tama\u00f1o de pmd Con el caso de prueba ltp \\\"testcases/bin/hugefork02\\\", hay un mensaje de informe de error dmesg como: \u00a1ERROR del kernel en mm/hugetlb.c:5550! Ups - BUG[#1]: CPU: 0 UID: 0 PID: 1517 Comm: hugefork02 No contaminado 6.14.0-rc2+ #241 Nombre del hardware: QEMU M\u00e1quina virtual QEMU, BIOS desconocido 2/2/2022 pc 90000000004eaf1c ra 9000000000485538 tp 900000010edbc000 sp 900000010edbf940 a0 900000010edbfb00 a1 9000000108d20280 a2 00007fffe9474000 a3 00007ffff3474000 a4 000000000000000 a5 0000000000000003 a6 00000000003cadd3 a7 0000000000000000 t0 0000000001ffffff t1 0000000001474000 t2 900000010ecd7900 t3 00007fffe9474000 t4 00007fffe9474000 t5 0000000000000040 t6 900000010edbfb00 t7 000000000000001 t8 000000000000005 u0 9000000004849d0 s9 900000010edbfa00 s0 9000000108d20280 s1 00007fffe9474000 s2 0000000002000000 s3 9000000108d20280 s4 9000000002b38b10 s5 900000010edbfb00 s6 00007ffff3474000 s7 0000000000000406 s8 900000010edbfa08 ra: 9000000000485538 unmap_vmas+0x130/0x218 ERA: 90000000004eaf1c __unmap_hugepage_range+0x6f4/0x7d0 PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 000c0000 [BRK] (IS= ECode=12 EssubCode=0) PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) Proceso hugefork02 (pid: 1517, threadinfo=00000000a670eaf4, task=000000007a95fc64) Seguimiento de llamadas: [\u0026lt;90000000004eaf1c\u0026gt;] __unmap_hugepage_range+0x6f4/0x7d0 [\u0026lt;9000000000485534\u0026gt;] unmap_vmas+0x12c/0x218 [\u0026lt;9000000000494068\u0026gt;] exit_mmap+0xe0/0x308 [\u0026lt;900000000025fdc4\u0026gt;] mmput+0x74/0x180 [\u0026lt;900000000026a284\u0026gt;] do_exit+0x294/0x898 [\u0026lt;900000000026aa30\u0026gt;] do_group_exit+0x30/0x98 [\u0026lt;900000000027bed4\u0026gt;] get_signal+0x83c/0x868 [\u0026lt;90000000002457b4\u0026gt;] arch_do_signal_or_restart+0x54/0xfa0 [\u0026lt;90000000015795e8\u0026gt;] irqentry_exit_to_user_mode+0xb8/0x138 [\u0026lt;90000000002572d0\u0026gt;] tlb_do_page_fault_1+0x114/0x1b4 El problema radica en que la direcci\u00f3n base asignada desde hugetlbfs no est\u00e1 alineada con el tama\u00f1o de pmd. A\u00f1ada una comprobaci\u00f3n para hugetlbfs y alinee la direcci\u00f3n base con el tama\u00f1o de pmd. Despu\u00e9s de esta correcci\u00f3n, el caso de prueba \\\"testcases/bin/hugefork02\\\" pasa a ejecuci\u00f3n. Esto es similar a el commit 7f24cbc9c4d42db8a3c8484d1 (\\\"mm/mmap: ense\u00f1ar a generic_get_unmapped_area{_topdown} a manejar asignaciones hugetlb\\\").\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.19\",\"versionEndExcluding\":\"6.13.7\",\"matchCriteriaId\":\"3006F272-B371-4865-9AA4-8780A7A21AA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"66619FB8-0AAF-4166-B2CF-67B24143261D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3D6550E-6679-4560-902D-AF52DCFE905B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"45B90F6B-BEC7-4D4E-883A-9DBADE021750\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/242b34f48a377afe4b285b472bd0f17744fca8e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3109d5ff484b7bc7b955f166974c6776d91f247b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.