CVE-2025-21709
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
27/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
kernel: be more careful about dup_mmap() failures and uprobe registering<br />
<br />
If a memory allocation fails during dup_mmap(), the maple tree can be left<br />
in an unsafe state for other iterators besides the exit path. All the<br />
locks are dropped before the exit_mmap() call (in mm/mmap.c), but the<br />
incomplete mm_struct can be reached through (at least) the rmap finding<br />
the vmas which have a pointer back to the mm_struct.<br />
<br />
Up to this point, there have been no issues with being able to find an<br />
mm_struct that was only partially initialised. Syzbot was able to make<br />
the incomplete mm_struct fail with recent forking changes, so it has been<br />
proven unsafe to use the mm_struct that hasn&#39;t been initialised, as<br />
referenced in the link below.<br />
<br />
Although 8ac662f5da19f ("fork: avoid inappropriate uprobe access to<br />
invalid mm") fixed the uprobe access, it does not completely remove the<br />
race.<br />
<br />
This patch sets the MMF_OOM_SKIP to avoid the iteration of the vmas on the<br />
oom side (even though this is extremely unlikely to be selected as an oom<br />
victim in the race window), and sets MMF_UNSTABLE to avoid other potential<br />
users from using a partially initialised mm_struct.<br />
<br />
When registering vmas for uprobe, skip the vmas in an mm that is marked<br />
unstable. Modifying a vma in an unstable mm may cause issues if the mm<br />
isn&#39;t fully initialised.