CVE-2025-21866

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC<br /> <br /> Erhard reported the following KASAN hit while booting his PowerMac G4<br /> with a KASAN-enabled kernel 6.13-rc6:<br /> <br /> BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8<br /> Write of size 8 at addr f1000000 by task chronyd/1293<br /> <br /> CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2<br /> Tainted: [W]=WARN<br /> Hardware name: PowerMac3,6 7455 0x80010303 PowerMac<br /> Call Trace:<br /> [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)<br /> [c24375b0] [c0504998] print_report+0xdc/0x504<br /> [c2437610] [c050475c] kasan_report+0xf8/0x108<br /> [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c<br /> [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8<br /> [c24376c0] [c004c014] patch_instructions+0x15c/0x16c<br /> [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c<br /> [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac<br /> [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec<br /> [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478<br /> [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14<br /> [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4<br /> [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890<br /> [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420<br /> [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c<br /> --- interrupt: c00 at 0x5a1274<br /> NIP: 005a1274 LR: 006a3b3c CTR: 005296c8<br /> REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4)<br /> MSR: 0200f932 CR: 24004422 XER: 00000000<br /> <br /> GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932<br /> GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57<br /> GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002<br /> GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001<br /> NIP [005a1274] 0x5a1274<br /> LR [006a3b3c] 0x6a3b3c<br /> --- interrupt: c00<br /> <br /> The buggy address belongs to the virtual mapping at<br /> [f1000000, f1002000) created by:<br /> text_area_cpu_up+0x20/0x190<br /> <br /> The buggy address belongs to the physical page:<br /> page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30<br /> flags: 0x80000000(zone=2)<br /> raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001<br /> raw: 00000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ^<br /> f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ==================================================================<br /> <br /> f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not<br /> initialised hence not supposed to be used yet.<br /> <br /> Powerpc text patching infrastructure allocates a virtual memory area<br /> using get_vm_area() and flags it as VM_ALLOC. But that flag is meant<br /> to be used for vmalloc() and vmalloc() allocated memory is not<br /> supposed to be used before a call to __vmalloc_node_range() which is<br /> never called for that area.<br /> <br /> That went undetected until commit e4137f08816b ("mm, kasan, kmsan:<br /> instrument copy_from/to_kernel_nofault")<br /> <br /> The area allocated by text_area_cpu_up() is not vmalloc memory, it is<br /> mapped directly on demand when needed by map_kernel_page(). There is<br /> no VM flag corresponding to such usage, so just pass no flag. That way<br /> the area will be unpoisonned and usable immediately.