CVE-2025-21709

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
27/02/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kernel: be more careful about dup_mmap() failures and uprobe registering<br /> <br /> If a memory allocation fails during dup_mmap(), the maple tree can be left<br /> in an unsafe state for other iterators besides the exit path. All the<br /> locks are dropped before the exit_mmap() call (in mm/mmap.c), but the<br /> incomplete mm_struct can be reached through (at least) the rmap finding<br /> the vmas which have a pointer back to the mm_struct.<br /> <br /> Up to this point, there have been no issues with being able to find an<br /> mm_struct that was only partially initialised. Syzbot was able to make<br /> the incomplete mm_struct fail with recent forking changes, so it has been<br /> proven unsafe to use the mm_struct that hasn&amp;#39;t been initialised, as<br /> referenced in the link below.<br /> <br /> Although 8ac662f5da19f ("fork: avoid inappropriate uprobe access to<br /> invalid mm") fixed the uprobe access, it does not completely remove the<br /> race.<br /> <br /> This patch sets the MMF_OOM_SKIP to avoid the iteration of the vmas on the<br /> oom side (even though this is extremely unlikely to be selected as an oom<br /> victim in the race window), and sets MMF_UNSTABLE to avoid other potential<br /> users from using a partially initialised mm_struct.<br /> <br /> When registering vmas for uprobe, skip the vmas in an mm that is marked<br /> unstable. Modifying a vma in an unstable mm may cause issues if the mm<br /> isn&amp;#39;t fully initialised.

Impact