CVE-2025-40040

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/ksm: fix flag-dropping behavior in ksm_madvise<br /> <br /> syzkaller discovered the following crash: (kernel BUG)<br /> <br /> [ 44.607039] ------------[ cut here ]------------<br /> [ 44.607422] kernel BUG at mm/userfaultfd.c:2067!<br /> [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI<br /> [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)<br /> [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460<br /> <br /> <br /> <br /> [ 44.617726] Call Trace:<br /> [ 44.617926] <br /> [ 44.619284] userfaultfd_release+0xef/0x1b0<br /> [ 44.620976] __fput+0x3f9/0xb60<br /> [ 44.621240] fput_close_sync+0x110/0x210<br /> [ 44.622222] __x64_sys_close+0x8f/0x120<br /> [ 44.622530] do_syscall_64+0x5b/0x2f0<br /> [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 44.623244] RIP: 0033:0x7f365bb3f227<br /> <br /> Kernel panics because it detects UFFD inconsistency during<br /> userfaultfd_release_all(). Specifically, a VMA which has a valid pointer<br /> to vma-&gt;vm_userfaultfd_ctx, but no UFFD flags in vma-&gt;vm_flags.<br /> <br /> The inconsistency is caused in ksm_madvise(): when user calls madvise()<br /> with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,<br /> it accidentally clears all flags stored in the upper 32 bits of<br /> vma-&gt;vm_flags.<br /> <br /> Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and<br /> int are 32-bit wide. This setup causes the following mishap during the &amp;=<br /> ~VM_MERGEABLE assignment.<br /> <br /> VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000&amp;#39;0000. <br /> After ~ is applied, it becomes 0x7fff&amp;#39;ffff unsigned int, which is then<br /> promoted to unsigned long before the &amp; operation. This promotion fills<br /> upper 32 bits with leading 0s, as we&amp;#39;re doing unsigned conversion (and<br /> even for a signed conversion, this wouldn&amp;#39;t help as the leading bit is 0).<br /> &amp; operation thus ends up AND-ing vm_flags with 0x0000&amp;#39;0000&amp;#39;7fff&amp;#39;ffff<br /> instead of intended 0xffff&amp;#39;ffff&amp;#39;7fff&amp;#39;ffff and hence accidentally clears<br /> the upper 32-bits of its value.<br /> <br /> Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the<br /> BIT() macro.<br /> <br /> Note: other VM_* flags are not affected: This only happens to the<br /> VM_MERGEABLE flag, as the other VM_* flags are all constants of type int<br /> and after ~ operation, they end up with leading 1 and are thus converted<br /> to unsigned long with leading 1s.<br /> <br /> Note 2:<br /> After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is<br /> no longer a kernel BUG, but a WARNING at the same place:<br /> <br /> [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067<br /> <br /> but the root-cause (flag-drop) remains the same.<br /> <br /> [akpm@linux-foundation.org: rust bindgen wasn&amp;#39;t able to handle BIT(), from Miguel]