CVE-2025-22090

{"id": "CVE-2025-22090", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-04-16T15:16:03.213", "references": [{"url": "https://git.kernel.org/stable/c/8d6373f83f367dbed316ddeb178130a3a64b5b67", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b07398e8a5da517083f5c3f2daa8f6681b48ab28", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/da381c33f3aa6406406c9fdf07b8b0b63e0ce722", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dc84bc2aba85a1508f04a936f9f9a15f64ebfb31", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de6185b8892d88142ef69768fe4077cbf40109c0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()\n\nIf track_pfn_copy() fails, we already added the dst VMA to the maple\ntree. As fork() fails, we'll cleanup the maple tree, and stumble over\nthe dst VMA for which we neither performed any reservation nor copied\nany page tables.\n\nConsequently untrack_pfn() will see VM_PAT and try obtaining the\nPAT information from the page table -- which fails because the page\ntable was not copied.\n\nThe easiest fix would be to simply clear the VM_PAT flag of the dst VMA\nif track_pfn_copy() fails. However, the whole thing is about \"simply\"\nclearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy()\nand performed a reservation, but copying the page tables fails, we'll\nsimply clear the VM_PAT flag, not properly undoing the reservation ...\nwhich is also wrong.\n\nSo let's fix it properly: set the VM_PAT flag only if the reservation\nsucceeded (leaving it clear initially), and undo the reservation if\nanything goes wrong while copying the page tables: clearing the VM_PAT\nflag after undoing the reservation.\n\nNote that any copied page table entries will get zapped when the VMA will\nget removed later, after copy_page_range() succeeded; as VM_PAT is not set\nthen, we won't try cleaning VM_PAT up once more and untrack_pfn() will be\nhappy. Note that leaving these page tables in place without a reservation\nis not a problem, as we are aborting fork(); this process will never run.\n\nA reproducer can trigger this usually at the first try:\n\n https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c\n\n WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110\n Modules linked in: ...\n CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:get_pat_info+0xf6/0x110\n ...\n Call Trace:\n <TASK>\n ...\n untrack_pfn+0x52/0x110\n unmap_single_vma+0xa6/0xe0\n unmap_vmas+0x105/0x1f0\n exit_mmap+0xf6/0x460\n __mmput+0x4b/0x120\n copy_process+0x1bf6/0x2aa0\n kernel_clone+0xab/0x440\n __do_sys_clone+0x66/0x90\n do_syscall_64+0x95/0x180\n\nLikely this case was missed in:\n\n d155df53f310 (\"x86/mm/pat: clear VM_PAT if copy_p4d_range failed\")\n\n... and instead of undoing the reservation we simply cleared the VM_PAT flag.\n\nKeep the documentation of these functions in include/linux/pgtable.h,\none place is more than sufficient -- we should clean that up for the other\nfunctions like track_pfn_remap/untrack_pfn separately."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/mm/pat: Se corrige la gesti\u00f3n de VM_PAT cuando fork() falla en copy_page_range(). Si track_pfn_copy() falla, ya se agreg\u00f3 el VMA dst al \u00e1rbol de maple. Si fork() falla, se limpiar\u00e1 el \u00e1rbol de maple y se encontrar\u00e1 con el VMA dst para el cual no se realiz\u00f3 ninguna reserva ni se copi\u00f3 ninguna tabla de p\u00e1ginas. En consecuencia, untrack_pfn() detectar\u00e1 VM_PAT e intentar\u00e1 obtener la informaci\u00f3n de PAT de la tabla de p\u00e1ginas, lo cual falla porque esta no se copi\u00f3. La soluci\u00f3n m\u00e1s sencilla ser\u00eda simplemente borrar el indicador VM_PAT del VMA dst si track_pfn_copy() falla. Sin embargo, la cuesti\u00f3n de simplemente borrar el indicador VM_PAT tambi\u00e9n es problem\u00e1tica: si pasamos track_pfn_copy() y realizamos una reserva, pero la copia de las tablas de p\u00e1ginas falla, simplemente borraremos el indicador VM_PAT, sin deshacer la reserva correctamente, lo cual tambi\u00e9n es incorrecto. As\u00ed que vamos a solucionarlo correctamente: configuremos el indicador VM_PAT solo si la reserva se realiz\u00f3 correctamente (dej\u00e1ndolo inicialmente en blanco) y deshag\u00e1mosla si algo sale mal al copiar las tablas de p\u00e1ginas: borremos el indicador VM_PAT despu\u00e9s de deshacer la reserva. Tenga en cuenta que cualquier entrada copiada de la tabla de p\u00e1ginas se eliminar\u00e1 cuando se elimine el VMA posteriormente, despu\u00e9s de que copy_page_range() se haya ejecutado correctamente; como VM_PAT no est\u00e1 configurado en ese momento, no intentaremos borrarlo de nuevo y untrack_pfn() funcionar\u00e1 correctamente. Tenga en cuenta que dejar estas tablas de p\u00e1ginas sin una reserva no es un problema, ya que estamos cancelando fork(); este proceso nunca se ejecutar\u00e1. Un reproductor puede activar esto generalmente en el primer intento: https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c ADVERTENCIA: CPU: 26 PID: 11650 en arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110 M\u00f3dulos vinculados: ... CPU: 26 UID: 0 PID: 11650 Comm: repro3 No contaminado 6.12.0-rc5+ #92 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 01/04/2014 RIP: 0010:get_pat_info+0xf6/0x110 ... Seguimiento de llamadas: ... untrack_pfn+0x52/0x110 unmap_single_vma+0xa6/0xe0 unmap_vmas+0x105/0x1f0 exit_mmap+0xf6/0x460 __mmput+0x4b/0x120 copy_process+0x1bf6/0x2aa0 kernel_clone+0xab/0x440 __do_sys_clone+0x66/0x90 do_syscall_64+0x95/0x180 Es probable que este caso no se haya encontrado en: d155df53f310 (\"x86/mm/pat: borrar VM_PAT si copy_p4d_range fall\u00f3\") ... y en lugar de deshacer la reserva simplemente borramos el indicador VM_PAT. Mantenga la documentaci\u00f3n de estas funciones en include/linux/pgtable.h, un lugar es m\u00e1s que suficiente; deber\u00edamos limpiarlo para las otras funciones como track_pfn_remap/untrack_pfn por separado."}], "lastModified": "2025-10-31T20:59:34.670", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E95372AC-4E62-47CB-9BB7-C458AD73B26B", "versionEndExcluding": "6.6.87", "versionStartIncluding": "2.6.29"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}