fkie_cve-2025-22045
Vulnerability from fkie_nvd
Published
2025-04-16 15:15
Modified
2025-04-17 20:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch "x86/mm: only invalidate final translations with INVLPGB" which is currently under review (see <https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>) would probably be making the impact of this a lot worse.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0708fd6bd8161871bfbadced2ca4319b84ab44fe
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/320ac1af4c0bdb92c864dc9250d1329234820edf
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3ef938c3503563bfc2ac15083557f880d29c2e64
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/556d446068f90981e5d71ca686bdaccdd545d491
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/618d5612ecb7bfc1c85342daafeb2b47e29e77a3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7085895c59e4057ffae17f58990ccb630087d0d2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/93224deb50a8d20df3884f3672ce9f982129aa50
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Fix flush_tlb_range() when used for zapping normal PMDs\n\nOn the following path, flush_tlb_range() can be used for zapping normal\nPMD entries (PMD entries that point to page tables) together with the PTE\nentries in the pointed-to page table:\n\n    collapse_pte_mapped_thp\n      pmdp_collapse_flush\n        flush_tlb_range\n\nThe arm64 version of flush_tlb_range() has a comment describing that it can\nbe used for page table removal, and does not use any last-level\ninvalidation optimizations. Fix the X86 version by making it behave the\nsame way.\n\nCurrently, X86 only uses this information for the following two purposes,\nwhich I think means the issue doesn\u0027t have much impact:\n\n - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be\n   IPI\u0027d to avoid issues with speculative page table walks.\n - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.\n\nThe patch \"x86/mm: only invalidate final translations with INVLPGB\" which\nis currently under review (see\n\u003chttps://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/\u003e)\nwould probably be making the impact of this a lot worse."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/mm: Arregla flush_tlb_range() cuando se usa para zapping de PMD normales En la siguiente ruta, flush_tlb_range() se puede usar para zapping de entradas PMD normales (entradas PMD que apuntan a tablas de p\u00e1ginas) junto con las entradas PTE en la tabla de p\u00e1ginas apuntada: colapso_pte_mapped_thp pmdp_collapse_flush flush_tlb_range La versi\u00f3n arm64 de flush_tlb_range() tiene un comentario que describe que se puede usar para la eliminaci\u00f3n de la tabla de p\u00e1ginas y no usa ninguna optimizaci\u00f3n de invalidaci\u00f3n de \u00faltimo nivel. Arregla la versi\u00f3n X86 haciendo que se comporte de la misma manera. Actualmente, X86 solo usa esta informaci\u00f3n para los dos prop\u00f3sitos siguientes, lo que creo que significa que el problema no tiene mucho impacto: - En native_flush_tlb_multi() para verificar si las CPU TLB perezosas necesitan ser IPI\u0027d para evitar problemas con recorridos especulativos de la tabla de p\u00e1ginas. En la paravirtualizaci\u00f3n de TLB de Hyper-V, de nuevo para problemas de TLB lentos. El parche \"x86/mm: solo invalidar las traducciones finales con INVLPGB\", actualmente en revisi\u00f3n (v\u00e9ase ), probablemente estar\u00eda agravando considerablemente el impacto de esto."
    }
  ],
  "id": "CVE-2025-22045",
  "lastModified": "2025-04-17T20:22:16.240",
  "metrics": {},
  "published": "2025-04-16T15:15:57.920",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0708fd6bd8161871bfbadced2ca4319b84ab44fe"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/320ac1af4c0bdb92c864dc9250d1329234820edf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3ef938c3503563bfc2ac15083557f880d29c2e64"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/556d446068f90981e5d71ca686bdaccdd545d491"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/618d5612ecb7bfc1c85342daafeb2b47e29e77a3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7085895c59e4057ffae17f58990ccb630087d0d2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/93224deb50a8d20df3884f3672ce9f982129aa50"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.