CVE-2025-40009

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/proc/task_mmu: check p-&gt;vec_buf for NULL<br /> <br /> When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches<br /> pagemap_scan_backout_range(), kernel panics with null-ptr-deref:<br /> <br /> [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI<br /> [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none)<br /> [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80<br /> <br /> <br /> <br /> [ 44.946828] Call Trace:<br /> [ 44.947030] <br /> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0<br /> [ 44.952593] walk_pmd_range.isra.0+0x302/0x910<br /> [ 44.954069] walk_pud_range.isra.0+0x419/0x790<br /> [ 44.954427] walk_p4d_range+0x41e/0x620<br /> [ 44.954743] walk_pgd_range+0x31e/0x630<br /> [ 44.955057] __walk_page_range+0x160/0x670<br /> [ 44.956883] walk_page_range_mm+0x408/0x980<br /> [ 44.958677] walk_page_range+0x66/0x90<br /> [ 44.958984] do_pagemap_scan+0x28d/0x9c0<br /> [ 44.961833] do_pagemap_cmd+0x59/0x80<br /> [ 44.962484] __x64_sys_ioctl+0x18d/0x210<br /> [ 44.962804] do_syscall_64+0x5b/0x290<br /> [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are<br /> allocated and p-&gt;vec_buf remains set to NULL.<br /> <br /> This breaks an assumption made later in pagemap_scan_backout_range(), that<br /> page_region is always allocated for p-&gt;vec_buf_index.<br /> <br /> Fix it by explicitly checking p-&gt;vec_buf for NULL before dereferencing.<br /> <br /> Other sites that might run into same deref-issue are already (directly or<br /> transitively) protected by checking p-&gt;vec_buf.<br /> <br /> Note:<br /> From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output<br /> is requested and it&amp;#39;s only the side effects caller is interested in,<br /> hence it passes check in pagemap_scan_get_args().<br /> <br /> This issue was found by syzkaller.