ghsa-9x83-7qxw-53vc
Vulnerability from github
Published
2025-02-27 03:34
Modified
2025-02-27 03:34
Details

In the Linux kernel, the following vulnerability has been resolved:

tracing: Do not allow mmap() of persistent ring buffer

When trying to mmap a trace instance buffer that is attached to reserve_mem, it would crash:

BUG: unable to handle page fault for address: ffffe97bd00025c8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 2862f3067 P4D 2862f3067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT_RT SMP PTI CPU: 4 UID: 0 PID: 981 Comm: mmap-rb Not tainted 6.14.0-rc2-test-00003-g7f1a5e3fbf9e-dirty #233 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:validate_page_before_insert+0x5/0xb0 Code: e2 01 89 d0 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 <48> 8b 46 08 a8 01 75 67 66 90 48 89 f0 8b 50 34 85 d2 74 76 48 89 RSP: 0018:ffffb148c2f3f968 EFLAGS: 00010246 RAX: ffff9fa5d3322000 RBX: ffff9fa5ccff9c08 RCX: 00000000b879ed29 RDX: ffffe97bd00025c0 RSI: ffffe97bd00025c0 RDI: ffff9fa5ccff9c08 RBP: ffffb148c2f3f9f0 R08: 0000000000000004 R09: 0000000000000004 R10: 0000000000000000 R11: 0000000000000200 R12: 0000000000000000 R13: 00007f16a18d5000 R14: ffff9fa5c48db6a8 R15: 0000000000000000 FS: 00007f16a1b54740(0000) GS:ffff9fa73df00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe97bd00025c8 CR3: 00000001048c6006 CR4: 0000000000172ef0 Call Trace: ? __die_body.cold+0x19/0x1f ? __die+0x2e/0x40 ? page_fault_oops+0x157/0x2b0 ? search_module_extables+0x53/0x80 ? validate_page_before_insert+0x5/0xb0 ? kernelmode_fixup_or_oops.isra.0+0x5f/0x70 ? __bad_area_nosemaphore+0x16e/0x1b0 ? bad_area_nosemaphore+0x16/0x20 ? do_kern_addr_fault+0x77/0x90 ? exc_page_fault+0x22b/0x230 ? asm_exc_page_fault+0x2b/0x30 ? validate_page_before_insert+0x5/0xb0 ? vm_insert_pages+0x151/0x400 __rb_map_vma+0x21f/0x3f0 ring_buffer_map+0x21b/0x2f0 tracing_buffers_mmap+0x70/0xd0 __mmap_region+0x6f0/0xbd0 mmap_region+0x7f/0x130 do_mmap+0x475/0x610 vm_mmap_pgoff+0xf2/0x1d0 ksys_mmap_pgoff+0x166/0x200 __x64_sys_mmap+0x37/0x50 x64_sys_call+0x1670/0x1d70 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The reason was that the code that maps the ring buffer pages to user space has:

page = virt_to_page((void *)cpu_buffer->subbuf_ids[s]);

And uses that in:

vm_insert_pages(vma, vma->vm_start, pages, &nr_pages);

But virt_to_page() does not work with vmap()'d memory which is what the persistent ring buffer has. It is rather trivial to allow this, but for now just disable mmap() of instances that have their ring buffer from the reserve_mem option.

If an mmap() is performed on a persistent buffer it will return -ENODEV just like it would if the .mmap field wasn't defined in the file_operations structure.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21778"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T03:15:18Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not allow mmap() of persistent ring buffer\n\nWhen trying to mmap a trace instance buffer that is attached to\nreserve_mem, it would crash:\n\n BUG: unable to handle page fault for address: ffffe97bd00025c8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 2862f3067 P4D 2862f3067 PUD 0\n Oops: Oops: 0000 [#1] PREEMPT_RT SMP PTI\n CPU: 4 UID: 0 PID: 981 Comm: mmap-rb Not tainted 6.14.0-rc2-test-00003-g7f1a5e3fbf9e-dirty #233\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:validate_page_before_insert+0x5/0xb0\n Code: e2 01 89 d0 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 \u003c48\u003e 8b 46 08 a8 01 75 67 66 90 48 89 f0 8b 50 34 85 d2 74 76 48 89\n RSP: 0018:ffffb148c2f3f968 EFLAGS: 00010246\n RAX: ffff9fa5d3322000 RBX: ffff9fa5ccff9c08 RCX: 00000000b879ed29\n RDX: ffffe97bd00025c0 RSI: ffffe97bd00025c0 RDI: ffff9fa5ccff9c08\n RBP: ffffb148c2f3f9f0 R08: 0000000000000004 R09: 0000000000000004\n R10: 0000000000000000 R11: 0000000000000200 R12: 0000000000000000\n R13: 00007f16a18d5000 R14: ffff9fa5c48db6a8 R15: 0000000000000000\n FS:  00007f16a1b54740(0000) GS:ffff9fa73df00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffe97bd00025c8 CR3: 00000001048c6006 CR4: 0000000000172ef0\n Call Trace:\n  \u003cTASK\u003e\n  ? __die_body.cold+0x19/0x1f\n  ? __die+0x2e/0x40\n  ? page_fault_oops+0x157/0x2b0\n  ? search_module_extables+0x53/0x80\n  ? validate_page_before_insert+0x5/0xb0\n  ? kernelmode_fixup_or_oops.isra.0+0x5f/0x70\n  ? __bad_area_nosemaphore+0x16e/0x1b0\n  ? bad_area_nosemaphore+0x16/0x20\n  ? do_kern_addr_fault+0x77/0x90\n  ? exc_page_fault+0x22b/0x230\n  ? asm_exc_page_fault+0x2b/0x30\n  ? validate_page_before_insert+0x5/0xb0\n  ? vm_insert_pages+0x151/0x400\n  __rb_map_vma+0x21f/0x3f0\n  ring_buffer_map+0x21b/0x2f0\n  tracing_buffers_mmap+0x70/0xd0\n  __mmap_region+0x6f0/0xbd0\n  mmap_region+0x7f/0x130\n  do_mmap+0x475/0x610\n  vm_mmap_pgoff+0xf2/0x1d0\n  ksys_mmap_pgoff+0x166/0x200\n  __x64_sys_mmap+0x37/0x50\n  x64_sys_call+0x1670/0x1d70\n  do_syscall_64+0xbb/0x1d0\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe reason was that the code that maps the ring buffer pages to user space\nhas:\n\n\tpage = virt_to_page((void *)cpu_buffer-\u003esubbuf_ids[s]);\n\nAnd uses that in:\n\n\tvm_insert_pages(vma, vma-\u003evm_start, pages, \u0026nr_pages);\n\nBut virt_to_page() does not work with vmap()\u0027d memory which is what the\npersistent ring buffer has. It is rather trivial to allow this, but for\nnow just disable mmap() of instances that have their ring buffer from the\nreserve_mem option.\n\nIf an mmap() is performed on a persistent buffer it will return -ENODEV\njust like it would if the .mmap field wasn\u0027t defined in the\nfile_operations structure.",
  "id": "GHSA-9x83-7qxw-53vc",
  "modified": "2025-02-27T03:34:06Z",
  "published": "2025-02-27T03:34:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21778"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/129fe718819cc5e24ea2f489db9ccd4371f0c6f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf5aa560e5c7628b57c928741d7e6a9a0f6f0e67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8dff5f73912513fc9b52ab992d861517c9a9975"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.