fkie_cve-2025-21869
Vulnerability from fkie_nvd
Published
2025-03-27 14:15
Modified
2025-03-27 16:45
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 ("powerpc/code-patching: introduce patch_instructions()") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Disable KASAN report during patching via temporary mm\n\nErhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:\n\n[   12.028126] ==================================================================\n[   12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0\n[   12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1\n\n[   12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G                T  6.13.0-P9-dirty #3\n[   12.028408] Tainted: [T]=RANDSTRUCT\n[   12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n[   12.028500] Call Trace:\n[   12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)\n[   12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708\n[   12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300\n[   12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370\n[   12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40\n[   12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0\n[   12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210\n[   12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590\n[   12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0\n[   12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0\n[   12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930\n[   12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280\n[   12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370\n[   12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00\n[   12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40\n[   12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610\n[   12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280\n[   12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8\n[   12.029608] NIP:  00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000\n[   12.029660] REGS: c000000008dbfe80 TRAP: 3000   Tainted: G                T   (6.13.0-P9-dirty)\n[   12.029735] MSR:  900000000280f032 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI\u003e  CR: 42004848  XER: 00000000\n[   12.029855] IRQMASK: 0\n               GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005\n               GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008\n               GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n               GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000\n               GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90\n               GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80\n               GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8\n               GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580\n[   12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8\n[   12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8\n[   12.030405] --- interrupt: 3000\n[   12.030444] ==================================================================\n\nCommit c28c15b6d28a (\"powerpc/code-patching: Use temporary mm for\nRadix MMU\") is inspired from x86 but unlike x86 is doesn\u0027t disable\nKASAN reports during patching. This wasn\u0027t a problem at the begining\nbecause __patch_mem() is not instrumented.\n\nCommit 465cabc97b42 (\"powerpc/code-patching: introduce\npatch_instructions()\") use copy_to_kernel_nofault() to copy several\ninstructions at once. But when using temporary mm the destination is\nnot regular kernel memory but a kind of kernel-like memory located\nin user address space. \n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/code-patching: Deshabilitar el informe de KASAN durante la aplicaci\u00f3n de parches a trav\u00e9s de mm temporal Erhard informa el siguiente impacto de KASAN en Talos II (power9) con kernel 6.13: [ 12.028126] ====================================================================== [ 12.028198] ERROR: KASAN: acceso a memoria de usuario en copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Escritura de tama\u00f1o 8 en la direcci\u00f3n 0000187e458f2000 por la tarea systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Contaminado: GT 6.13.0-P9-dirty #3 [ 12.028408] Contaminado: [T]=RANDSTRUCT [ 12.028446] Nombre del hardware: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Rastreo de llamadas: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (no confiable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] informe_de_impresi\u00f3n+0x6b0/0x708 [12.028666] [c000000008dbf4e0] [c0000000006e2454] informe_de_kasan+0x164/0x300 [12.028725] [c000000008dbf600] [c0000000006e54d4] rango_de_comprobaci\u00f3n_de_kasan+0x314/0x370 [12.028784] [c000000008dbf640] [c0000000006e6310] __escritura_de_comprobaci\u00f3n_de_kasan+0x20/0x40 [12.028842] [c000000008dbf660] [c000000000578e8c] copia_al_n\u00facleo_no_ofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __instrucciones_de_parche+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] instrucciones_de_parche+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] copia_de_texto_de_archivo_bpf+0x6c/0xe0 [ 12.029085] bpf_jit_binary_pack_finalize+0x40/0xc0 [12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] excepci\u00f3n de llamada del sistema+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] llamada_del_sistema_vectorizada_com\u00fan+0xf0/0x280 [12.029561] --- interrupci\u00f3n: 3000 en 0x3fff82f5cfa8 [12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 000000000000000 [12.029660] REG: c000000008dbfe80 TRAMPA: 3000 Contaminado: GT (6.13.0-P9-sucio) [12.029735] MSR: 900000000280f032 CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 00000000000000000 0000000000000000 00000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 000000000000000 000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 000000000000000 000000000000000 000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 000000000000000 0000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupci\u00f3n: 3000 [ 12.030444] ================================================================================= El commit c28c15b6d28a (\"powerpc/code-patching: Usar mm temporal para MMU de base\") est\u00e1 inspirada en x86, pero a diferencia de x86, no deshabilita los informes de KASAN durante la aplicaci\u00f3n de parches. Esto no fue un problema al principio, ya que __patch_mem() no est\u00e1 instrumentado. El commit 465cabc97b42 (\"powerpc/code-patching: introducir patch_instructions()\") usa copy_to_kernel_nofault() para copiar varias instrucciones a la vez. Pero cuando se utiliza mm temporal, el destino no es la memoria del n\u00facleo normal, sino un tipo de memoria similar al n\u00facleo ubicada en el espacio de direcciones del usuario. ---truncado---"
    }
  ],
  "id": "CVE-2025-21869",
  "lastModified": "2025-03-27T16:45:12.210",
  "metrics": {},
  "published": "2025-03-27T14:15:48.247",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.