CVE-2025-21869

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-21869
In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 ("powerpc/code-patching: introduce patch_instructions()") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated---

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0 Patch
https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee Patch
https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*
History

29 Oct 2025, 21:08

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0 - () https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0 - Patch
References () https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee - () https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee - Patch
References () https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84 - () https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84 - Patch
First Time Linux linux Kernel
Linux
CWE CWE-787
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/code-patching: Deshabilitar el informe de KASAN durante la aplicación de parches a través de mm temporal Erhard informa el siguiente impacto de KASAN en Talos II (power9) con kernel 6.13: [ 12.028126] ====================================================================== [ 12.028198] ERROR: KASAN: acceso a memoria de usuario en copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Escritura de tamaño 8 en la dirección 0000187e458f2000 por la tarea systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Contaminado: GT 6.13.0-P9-dirty #3 [ 12.028408] Contaminado: [T]=RANDSTRUCT [ 12.028446] Nombre del hardware: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Rastreo de llamadas: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (no confiable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] informe_de_impresión+0x6b0/0x708 [12.028666] [c000000008dbf4e0] [c0000000006e2454] informe_de_kasan+0x164/0x300 [12.028725] [c000000008dbf600] [c0000000006e54d4] rango_de_comprobación_de_kasan+0x314/0x370 [12.028784] [c000000008dbf640] [c0000000006e6310] __escritura_de_comprobación_de_kasan+0x20/0x40 [12.028842] [c000000008dbf660] [c000000000578e8c] copia_al_núcleo_no_ofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __instrucciones_de_parche+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] instrucciones_de_parche+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] copia_de_texto_de_archivo_bpf+0x6c/0xe0 [ 12.029085] bpf_jit_binary_pack_finalize+0x40/0xc0 [12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] excepción de llamada del sistema+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] llamada_del_sistema_vectorizada_común+0xf0/0x280 [12.029561] --- interrupción: 3000 en 0x3fff82f5cfa8 [12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 000000000000000 [12.029660] REG: c000000008dbfe80 TRAMPA: 3000 Contaminado: GT (6.13.0-P9-sucio) [12.029735] MSR: 900000000280f032 CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 00000000000000000 0000000000000000 00000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 000000000000000 000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 000000000000000 000000000000000 000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 000000000000000 0000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupción: 3000 [ 12.030444] ================================================================================= El commit c28c15b6d28a ("powerpc/code-patching: Usar mm temporal para MMU de base") está inspirada en x86, pero a diferencia de x86, no deshabilita los informes de KASAN durante la aplicación de parches. Esto no fue un problema al principio, ya que __patch_mem() no está instrumentado. El commit 465cabc97b42 ("powerpc/code-patching: introducir patch_instructions()") usa copy_to_kernel_nofault() para copiar varias instrucciones a la vez. Pero cuando se utiliza mm temporal, el destino no es la memoria del núcleo normal, sino un tipo de memoria similar al núcleo ubicada en el espacio de direcciones del usuario. ---truncado---
CPE cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8

27 Mar 2025, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-27 14:15

Updated : 2025-10-29 21:08

NVD link : CVE-2025-21869

Mitre link : CVE-2025-21869

CVE.ORG link : CVE-2025-21869

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-787

Out-of-bounds Write