CVE-2025-68810

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot<br /> <br /> Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was<br /> initially created with a guest_memfd binding, as KVM doesn&amp;#39;t support<br /> toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling<br /> KVM_MEM_GUEST_MEMFD, but doesn&amp;#39;t prevent clearing the flag.<br /> <br /> Failure to reject the new memslot results in a use-after-free due to KVM<br /> not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY<br /> change is easy enough, and can/will be done as a hardening measure (in<br /> anticipation of KVM supporting dirty logging on guest_memfd at some point),<br /> but fixing the use-after-free would only address the immediate symptom.<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]<br /> Write of size 8 at addr ffff8881111ae908 by task repro/745<br /> <br /> CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x51/0x60<br /> print_report+0xcb/0x5c0<br /> kasan_report+0xb4/0xe0<br /> kvm_gmem_release+0x362/0x400 [kvm]<br /> __fput+0x2fa/0x9d0<br /> task_work_run+0x12c/0x200<br /> do_exit+0x6ae/0x2100<br /> do_group_exit+0xa8/0x230<br /> __x64_sys_exit_group+0x3a/0x50<br /> x64_sys_call+0x737/0x740<br /> do_syscall_64+0x5b/0x900<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7f581f2eac31<br /> <br /> <br /> Allocated by task 745 on cpu 6 at 9.746971s:<br /> kasan_save_stack+0x20/0x40<br /> kasan_save_track+0x13/0x50<br /> __kasan_kmalloc+0x77/0x90<br /> kvm_set_memory_region.part.0+0x652/0x1110 [kvm]<br /> kvm_vm_ioctl+0x14b0/0x3290 [kvm]<br /> __x64_sys_ioctl+0x129/0x1a0<br /> do_syscall_64+0x5b/0x900<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> Freed by task 745 on cpu 6 at 9.747467s:<br /> kasan_save_stack+0x20/0x40<br /> kasan_save_track+0x13/0x50<br /> __kasan_save_free_info+0x37/0x50<br /> __kasan_slab_free+0x3b/0x60<br /> kfree+0xf5/0x440<br /> kvm_set_memslot+0x3c2/0x1160 [kvm]<br /> kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]<br /> kvm_vm_ioctl+0x14b0/0x3290 [kvm]<br /> __x64_sys_ioctl+0x129/0x1a0<br /> do_syscall_64+0x5b/0x900<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53