fkie_cve-2025-38447
Vulnerability from fkie_nvd
Published
2025-07-25 16:15
Modified
2025-07-29 14:14
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/rmap: fix potential out-of-bounds page table access during batched unmap As pointed out by David[1], the batched unmap logic in try_to_unmap_one() may read past the end of a PTE table when a large folio's PTE mappings are not fully contained within a single page table. While this scenario might be rare, an issue triggerable from userspace must be fixed regardless of its likelihood. This patch fixes the out-of-bounds access by refactoring the logic into a new helper, folio_unmap_pte_batch(). The new helper correctly calculates the safe batch size by capping the scan at both the VMA and PMD boundaries. To simplify the code, it also supports partial batching (i.e., any number of pages from 1 up to the calculated safe maximum), as there is no strong reason to special-case for fully mapped folios.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/510fe9c15d07e765d96be9a9dc37e5057c6c09f4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ddd05742b45b083975a0855ef6ebbf88cf1f532a
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/rmap: fix potential out-of-bounds page table access during batched unmap\n\nAs pointed out by David[1], the batched unmap logic in\ntry_to_unmap_one() may read past the end of a PTE table when a large\nfolio\u0027s PTE mappings are not fully contained within a single page\ntable.\n\nWhile this scenario might be rare, an issue triggerable from userspace\nmust be fixed regardless of its likelihood.  This patch fixes the\nout-of-bounds access by refactoring the logic into a new helper,\nfolio_unmap_pte_batch().\n\nThe new helper correctly calculates the safe batch size by capping the\nscan at both the VMA and PMD boundaries.  To simplify the code, it also\nsupports partial batching (i.e., any number of pages from 1 up to the\ncalculated safe maximum), as there is no strong reason to special-case\nfor fully mapped folios."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/rmap: corrige el posible acceso fuera de los l\u00edmites de la tabla de p\u00e1ginas durante la desasignaci\u00f3n por lotes Como se\u00f1al\u00f3 David[1], la l\u00f3gica de desasignaci\u00f3n por lotes en try_to_unmap_one() puede leer m\u00e1s all\u00e1 del final de una tabla PTE cuando las asignaciones PTE de un folio grande no est\u00e1n completamente contenidas dentro de una sola tabla de p\u00e1ginas. Si bien este escenario puede ser poco com\u00fan, un problema desencadenable desde el espacio de usuario debe corregirse independientemente de su probabilidad. Este parche corrige el acceso fuera de los l\u00edmites refactorizando la l\u00f3gica en un nuevo ayudante, folio_unmap_pte_batch(). El nuevo ayudante calcula correctamente el tama\u00f1o de lote seguro al limitar el escaneo en los l\u00edmites de VMA y PMD. Para simplificar el c\u00f3digo, tambi\u00e9n admite el procesamiento por lotes parcial (es decir, cualquier n\u00famero de p\u00e1ginas desde 1 hasta el m\u00e1ximo seguro calculado), ya que no hay una raz\u00f3n s\u00f3lida para un caso especial de folios completamente mapeados."
    }
  ],
  "id": "CVE-2025-38447",
  "lastModified": "2025-07-29T14:14:55.157",
  "metrics": {},
  "published": "2025-07-25T16:15:30.210",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/510fe9c15d07e765d96be9a9dc37e5057c6c09f4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ddd05742b45b083975a0855ef6ebbf88cf1f532a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.