github - ghsa-fcgh-gjcg-cmc2

ghsa-fcgh-gjcg-cmc2

Vulnerability from github

Published

2025-04-01 18:30

Modified

2025-04-01 18:30

Details

In the Linux kernel, the following vulnerability has been resolved:

mm: abort vma_modify() on merge out of memory failure

The remainder of vma_modify() relies upon the vmg state remaining pristine after a merge attempt.

Usually this is the case, however in the one edge case scenario of a merge attempt failing not due to the specified range being unmergeable, but rather due to an out of memory error arising when attempting to commit the merge, this assumption becomes untrue.

This results in vmg->start, end being modified, and thus the proceeding attempts to split the VMA will be done with invalid start/end values.

Thankfully, it is likely practically impossible for us to hit this in reality, as it would require a maple tree node pre-allocation failure that would likely never happen due to it being 'too small to fail', i.e. the kernel would simply keep retrying reclaim until it succeeded.

However, this scenario remains theoretically possible, and what we are doing here is wrong so we must correct it.

The safest option is, when this scenario occurs, to simply give up the operation. If we cannot allocate memory to merge, then we cannot allocate memory to split either (perhaps moreso!).

Any scenario where this would be happening would be under very extreme (likely fatal) memory pressure, so it's best we give up early.

So there is no doubt it is appropriate to simply bail out in this scenario.

However, in general we must if at all possible never assume VMG state is stable after a merge attempt, since merge operations update VMG fields. As a result, additionally also make this clear by storing start, end in local variables.

The issue was reported originally by syzkaller, and by Brad Spengler (via an off-list discussion), and in both instances it manifested as a triggering of the assert:

VM_WARN_ON_VMG(start >= end, vmg);

In vma_merge_existing_range().

It seems at least one scenario in which this is occurring is one in which the merge being attempted is due to an madvise() across multiple VMAs which looks like this:

    start     end
      |<------>|
 |----------|------|
 |   vma    | next |
 |----------|------|

When madvise_walk_vmas() is invoked, we first find vma in the above (determining prev to be equal to vma as we are offset into vma), and then enter the loop.

We determine the end of vma that forms part of the range we are madvise()'ing by setting 'tmp' to this value:

    /* Here vma->vm_start <= start < (end|vma->vm_end) */
    tmp = vma->vm_end;

We then invoke the madvise() operation via visit(), letting prev get updated to point to vma as part of the operation:

    /* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */
    error = visit(vma, &prev, start, tmp, arg);

Where the visit() function pointer in this instance is madvise_vma_behavior().

As observed in syzkaller reports, it is ultimately madvise_update_vma() that is invoked, calling vma_modify_flags_name() and vma_modify() in turn.

Then, in vma_modify(), we attempt the merge:

merged = vma_merge_existing_range(vmg);
if (merged)
    return merged;

We invoke this with vmg->start, end set to start, tmp as such:

    start  tmp
      |<--->|
 |----------|------|
 |   vma    | next |
 |----------|------|

We find ourselves in the merge right scenario, but the one in which we cannot remove the middle (we are offset into vma).

Here we have a special case where vmg->start, end get set to perhaps unintuitive values - we intended to shrink the middle VMA and expand the next.

This means vmg->start, end are set to... vma->vm_start, start.

Now the commit_merge() fails, and vmg->start, end are left like this. This means we return to the rest of vma_modify() with vmg->start, end (here denoted as start', end') set as:

start' end' |<-->| |----------|------| | vma | next | |----------|------|

So we now erroneously try to split accordingly. This is where the unfortunate ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-21932"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:24Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: abort vma_modify() on merge out of memory failure\n\nThe remainder of vma_modify() relies upon the vmg state remaining pristine\nafter a merge attempt.\n\nUsually this is the case, however in the one edge case scenario of a merge\nattempt failing not due to the specified range being unmergeable, but\nrather due to an out of memory error arising when attempting to commit the\nmerge, this assumption becomes untrue.\n\nThis results in vmg-\u003estart, end being modified, and thus the proceeding\nattempts to split the VMA will be done with invalid start/end values.\n\nThankfully, it is likely practically impossible for us to hit this in\nreality, as it would require a maple tree node pre-allocation failure that\nwould likely never happen due to it being \u0027too small to fail\u0027, i.e.  the\nkernel would simply keep retrying reclaim until it succeeded.\n\nHowever, this scenario remains theoretically possible, and what we are\ndoing here is wrong so we must correct it.\n\nThe safest option is, when this scenario occurs, to simply give up the\noperation.  If we cannot allocate memory to merge, then we cannot allocate\nmemory to split either (perhaps moreso!).\n\nAny scenario where this would be happening would be under very extreme\n(likely fatal) memory pressure, so it\u0027s best we give up early.\n\nSo there is no doubt it is appropriate to simply bail out in this\nscenario.\n\nHowever, in general we must if at all possible never assume VMG state is\nstable after a merge attempt, since merge operations update VMG fields. \nAs a result, additionally also make this clear by storing start, end in\nlocal variables.\n\nThe issue was reported originally by syzkaller, and by Brad Spengler (via\nan off-list discussion), and in both instances it manifested as a\ntriggering of the assert:\n\n\tVM_WARN_ON_VMG(start \u003e= end, vmg);\n\nIn vma_merge_existing_range().\n\nIt seems at least one scenario in which this is occurring is one in which\nthe merge being attempted is due to an madvise() across multiple VMAs\nwhich looks like this:\n\n        start     end\n          |\u003c------\u003e|\n     |----------|------|\n     |   vma    | next |\n     |----------|------|\n\nWhen madvise_walk_vmas() is invoked, we first find vma in the above\n(determining prev to be equal to vma as we are offset into vma), and then\nenter the loop.\n\nWe determine the end of vma that forms part of the range we are\nmadvise()\u0027ing by setting \u0027tmp\u0027 to this value:\n\n\t\t/* Here vma-\u003evm_start \u003c= start \u003c (end|vma-\u003evm_end) */\n\t\ttmp = vma-\u003evm_end;\n\nWe then invoke the madvise() operation via visit(), letting prev get\nupdated to point to vma as part of the operation:\n\n\t\t/* Here vma-\u003evm_start \u003c= start \u003c tmp \u003c= (end|vma-\u003evm_end). */\n\t\terror = visit(vma, \u0026prev, start, tmp, arg);\n\nWhere the visit() function pointer in this instance is\nmadvise_vma_behavior().\n\nAs observed in syzkaller reports, it is ultimately madvise_update_vma()\nthat is invoked, calling vma_modify_flags_name() and vma_modify() in turn.\n\nThen, in vma_modify(), we attempt the merge:\n\n\tmerged = vma_merge_existing_range(vmg);\n\tif (merged)\n\t\treturn merged;\n\nWe invoke this with vmg-\u003estart, end set to start, tmp as such:\n\n        start  tmp\n          |\u003c---\u003e|\n     |----------|------|\n     |   vma    | next |\n     |----------|------|\n\nWe find ourselves in the merge right scenario, but the one in which we\ncannot remove the middle (we are offset into vma).\n\nHere we have a special case where vmg-\u003estart, end get set to perhaps\nunintuitive values - we intended to shrink the middle VMA and expand the\nnext.\n\nThis means vmg-\u003estart, end are set to...  vma-\u003evm_start, start.\n\nNow the commit_merge() fails, and vmg-\u003estart, end are left like this. \nThis means we return to the rest of vma_modify() with vmg-\u003estart, end\n(here denoted as start\u0027, end\u0027) set as:\n\n  start\u0027 end\u0027\n     |\u003c--\u003e|\n     |----------|------|\n     |   vma    | next |\n     |----------|------|\n\nSo we now erroneously try to split accordingly.  This is where the\nunfortunate\n---truncated---",
  "id": "GHSA-fcgh-gjcg-cmc2",
  "modified": "2025-04-01T18:30:52Z",
  "published": "2025-04-01T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21932"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47b16d0462a460000b8f05dfb1292377ac48f3ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/53fd215f7886a1e8dea5a9ca1391dbb697fff601"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79636d2981b066acd945117387a9533f56411f6f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2025-21932 (GCVE-0-2025-21932)

Vulnerability from cvelistv5

Published

2025-04-01 15:41

Modified

2025-05-04 07:24

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: abort vma_modify() on merge out of memory failure The remainder of vma_modify() relies upon the vmg state remaining pristine after a merge attempt. Usually this is the case, however in the one edge case scenario of a merge attempt failing not due to the specified range being unmergeable, but rather due to an out of memory error arising when attempting to commit the merge, this assumption becomes untrue. This results in vmg->start, end being modified, and thus the proceeding attempts to split the VMA will be done with invalid start/end values. Thankfully, it is likely practically impossible for us to hit this in reality, as it would require a maple tree node pre-allocation failure that would likely never happen due to it being 'too small to fail', i.e. the kernel would simply keep retrying reclaim until it succeeded. However, this scenario remains theoretically possible, and what we are doing here is wrong so we must correct it. The safest option is, when this scenario occurs, to simply give up the operation. If we cannot allocate memory to merge, then we cannot allocate memory to split either (perhaps moreso!). Any scenario where this would be happening would be under very extreme (likely fatal) memory pressure, so it's best we give up early. So there is no doubt it is appropriate to simply bail out in this scenario. However, in general we must if at all possible never assume VMG state is stable after a merge attempt, since merge operations update VMG fields. As a result, additionally also make this clear by storing start, end in local variables. The issue was reported originally by syzkaller, and by Brad Spengler (via an off-list discussion), and in both instances it manifested as a triggering of the assert: VM_WARN_ON_VMG(start >= end, vmg); In vma_merge_existing_range(). It seems at least one scenario in which this is occurring is one in which the merge being attempted is due to an madvise() across multiple VMAs which looks like this: start end |<------>| |----------|------| | vma | next | |----------|------| When madvise_walk_vmas() is invoked, we first find vma in the above (determining prev to be equal to vma as we are offset into vma), and then enter the loop. We determine the end of vma that forms part of the range we are madvise()'ing by setting 'tmp' to this value: /* Here vma->vm_start <= start < (end|vma->vm_end) */ tmp = vma->vm_end; We then invoke the madvise() operation via visit(), letting prev get updated to point to vma as part of the operation: /* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */ error = visit(vma, &prev, start, tmp, arg); Where the visit() function pointer in this instance is madvise_vma_behavior(). As observed in syzkaller reports, it is ultimately madvise_update_vma() that is invoked, calling vma_modify_flags_name() and vma_modify() in turn. Then, in vma_modify(), we attempt the merge: merged = vma_merge_existing_range(vmg); if (merged) return merged; We invoke this with vmg->start, end set to start, tmp as such: start tmp |<--->| |----------|------| | vma | next | |----------|------| We find ourselves in the merge right scenario, but the one in which we cannot remove the middle (we are offset into vma). Here we have a special case where vmg->start, end get set to perhaps unintuitive values - we intended to shrink the middle VMA and expand the next. This means vmg->start, end are set to... vma->vm_start, start. Now the commit_merge() fails, and vmg->start, end are left like this. This means we return to the rest of vma_modify() with vmg->start, end (here denoted as start', end') set as: start' end' |<-->| |----------|------| | vma | next | |----------|------| So we now erroneously try to split accordingly. This is where the unfortunate ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/79636d2981b066acd945117387a9533f56411f6f
	https://git.kernel.org/stable/c/53fd215f7886a1e8dea5a9ca1391dbb697fff601
	https://git.kernel.org/stable/c/47b16d0462a460000b8f05dfb1292377ac48f3ca

Impacted products

Vendor

Product

Version

►

Linux

Version: 2f1c6611b0a89afcb8641471af5f223c9caa01e0
Version: 2f1c6611b0a89afcb8641471af5f223c9caa01e0
Version: 2f1c6611b0a89afcb8641471af5f223c9caa01e0

Linux

Version: 6.12

Show details on NVD website