fkie_cve-2025-38085
Vulnerability from fkie_nvd
Published
2025-06-28 08:15
Modified
2025-07-30 06:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://project-zero.issues.chromium.org/issues/420715744
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process.  While I don\u0027t see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/hugetlb: correcci\u00f3n de huge_pmd_unshare() frente a la competencia GUP-fast. huge_pmd_unshare() elimina una referencia en una tabla de p\u00e1ginas que podr\u00eda haber sido compartida previamente entre procesos, lo que podr\u00eda convertirla en una tabla de p\u00e1ginas normal utilizada por otro proceso en la que posteriormente se podr\u00edan instalar VMAs no relacionadas. Si esto ocurre durante una ejecuci\u00f3n simult\u00e1nea de gup_fast(), gup_fast() podr\u00eda terminar recorriendo las tablas de p\u00e1ginas de otro proceso. Si bien no veo ninguna forma en que esto provoque inmediatamente una corrupci\u00f3n de memoria en el kernel, es realmente extra\u00f1o e inesperado. Corr\u00edjalo con una IPI de difusi\u00f3n expl\u00edcita a trav\u00e9s de tlb_remove_table_sync_one(), tal como hacemos en khugepaged al eliminar tablas de p\u00e1ginas durante un colapso de THP."
    }
  ],
  "id": "CVE-2025-38085",
  "lastModified": "2025-07-30T06:15:27.177",
  "metrics": {},
  "published": "2025-06-28T08:15:24.843",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://project-zero.issues.chromium.org/issues/420715744"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.