Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21984

Severity CVSS v4.0:
Pending analysis
Type:
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
01/04/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: fix kernel BUG when userfaultfd_move encounters swapcache<br /> <br /> userfaultfd_move() checks whether the PTE entry is present or a<br /> swap entry.<br /> <br /> - If the PTE entry is present, move_present_pte() handles folio<br /> migration by setting:<br /> <br /> src_folio-&gt;index = linear_page_index(dst_vma, dst_addr);<br /> <br /> - If the PTE entry is a swap entry, move_swap_pte() simply copies<br /> the PTE to the new dst_addr.<br /> <br /> This approach is incorrect because, even if the PTE is a swap entry,<br /> it can still reference a folio that remains in the swap cache.<br /> <br /> This creates a race window between steps 2 and 4.<br /> 1. add_to_swap: The folio is added to the swapcache.<br /> 2. try_to_unmap: PTEs are converted to swap entries.<br /> 3. pageout: The folio is written back.<br /> 4. Swapcache is cleared.<br /> If userfaultfd_move() occurs in the window between steps 2 and 4,<br /> after the swap PTE has been moved to the destination, accessing the<br /> destination triggers do_swap_page(), which may locate the folio in<br /> the swapcache. However, since the folio&amp;#39;s index has not been updated<br /> to match the destination VMA, do_swap_page() will detect a mismatch.<br /> <br /> This can result in two critical issues depending on the system<br /> configuration.<br /> <br /> If KSM is disabled, both small and large folios can trigger a BUG<br /> during the add_rmap operation due to:<br /> <br /> page_pgoff(folio, page) != linear_page_index(vma, address)<br /> <br /> [ 13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c<br /> [ 13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0<br /> [ 13.337716] memcg:ffff00000405f000<br /> [ 13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff)<br /> [ 13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361<br /> [ 13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000<br /> [ 13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361<br /> [ 13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000<br /> [ 13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001<br /> [ 13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000<br /> [ 13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address))<br /> [ 13.340190] ------------[ cut here ]------------<br /> [ 13.340316] kernel BUG at mm/rmap.c:1380!<br /> [ 13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP<br /> [ 13.340969] Modules linked in:<br /> [ 13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299<br /> [ 13.341470] Hardware name: linux,dummy-virt (DT)<br /> [ 13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 13.341815] pc : __page_check_anon_rmap+0xa0/0xb0<br /> [ 13.341920] lr : __page_check_anon_rmap+0xa0/0xb0<br /> [ 13.342018] sp : ffff80008752bb20<br /> [ 13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001<br /> [ 13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001<br /> [ 13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00<br /> [ 13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff<br /> [ 13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f<br /> [ 13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0<br /> [ 13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40<br /> [ 13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8<br /> [ 13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000<br /> [ 13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f<br /> [ 13.343876] Call trace:<br /> [ 13.344045] __page_check_anon_rmap+0xa0/0xb0 (P)<br /> [ 13.344234] folio_add_anon_rmap_ptes+0x22c/0x320<br /> [ 13.344333] do_swap_page+0x1060/0x1400<br /> [ 13.344417] __handl<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 4.70 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
4.70
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8 (including) 6.12.20 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools