CVE-2025-40008

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kmsan: fix out-of-bounds access to shadow memory<br /> <br /> Running sha224_kunit on a KMSAN-enabled kernel results in a crash in<br /> kmsan_internal_set_shadow_origin():<br /> <br /> BUG: unable to handle page fault for address: ffffbc3840291000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0<br /> Oops: 0000 [#1] SMP NOPTI<br /> CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary)<br /> Tainted: [N]=TEST<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100<br /> [...]<br /> Call Trace:<br /> <br /> __msan_memset+0xee/0x1a0<br /> sha224_final+0x9e/0x350<br /> test_hash_buffer_overruns+0x46f/0x5f0<br /> ? kmsan_get_shadow_origin_ptr+0x46/0xa0<br /> ? __pfx_test_hash_buffer_overruns+0x10/0x10<br /> kunit_try_run_case+0x198/0xa00<br /> <br /> This occurs when memset() is called on a buffer that is not 4-byte aligned<br /> and extends to the end of a guard page, i.e. the next page is unmapped.<br /> <br /> The bug is that the loop at the end of kmsan_internal_set_shadow_origin()<br /> accesses the wrong shadow memory bytes when the address is not 4-byte<br /> aligned. Since each 4 bytes are associated with an origin, it rounds the<br /> address and size so that it can access all the origins that contain the<br /> buffer. However, when it checks the corresponding shadow bytes for a<br /> particular origin, it incorrectly uses the original unrounded shadow<br /> address. This results in reads from shadow memory beyond the end of the<br /> buffer&amp;#39;s shadow memory, which crashes when that memory is not mapped.<br /> <br /> To fix this, correctly align the shadow address before accessing the 4<br /> shadow bytes corresponding to each origin.