lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025070321-CVE-2025-38102-d592@gregkh>
Date: Thu,  3 Jul 2025 10:35:20 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38102: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify

During our test, it is found that a warning can be trigger in try_grab_folio
as follow:

  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130
  Modules linked in:
  CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)
  RIP: 0010:try_grab_folio+0x106/0x130
  Call Trace:
   <TASK>
   follow_huge_pmd+0x240/0x8e0
   follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0
   follow_pud_mask.constprop.0.isra.0+0x14a/0x170
   follow_page_mask+0x1c2/0x1f0
   __get_user_pages+0x176/0x950
   __gup_longterm_locked+0x15b/0x1060
   ? gup_fast+0x120/0x1f0
   gup_fast_fallback+0x17e/0x230
   get_user_pages_fast+0x5f/0x80
   vmci_host_unlocked_ioctl+0x21c/0xf80
  RIP: 0033:0x54d2cd
  ---[ end trace 0000000000000000 ]---

Digging into the source, context->notify_page may init by get_user_pages_fast
and can be seen in vmci_ctx_unset_notify which will try to put_page. However
get_user_pages_fast is not finished here and lead to following
try_grab_folio warning. The race condition is shown as follow:

cpu0			cpu1
vmci_host_do_set_notify
vmci_host_setup_notify
get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);
lockless_pages_from_mm
gup_pgd_range
gup_huge_pmd  // update &context->notify_page
			vmci_host_do_set_notify
			vmci_ctx_unset_notify
			notify_page = context->notify_page;
			if (notify_page)
			put_page(notify_page);	// page is freed
__gup_longterm_locked
__get_user_pages
follow_trans_huge_pmd
try_grab_folio // warn here

To slove this, use local variable page to make notify_page can be seen
after finish get_user_pages_fast.

The Linux kernel CVE team has assigned CVE-2025-38102 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.0 with commit a1d88436d53a75e950db15834b3d2f8c0c358fdc and fixed in 5.15.186 with commit b4209e4b778e4e57d0636e1c9fc07a924dbc6043
	Issue introduced in 4.0 with commit a1d88436d53a75e950db15834b3d2f8c0c358fdc and fixed in 6.1.142 with commit 58a90db70aa6616411e5f69d1982d9b1dd97d774
	Issue introduced in 4.0 with commit a1d88436d53a75e950db15834b3d2f8c0c358fdc and fixed in 6.6.94 with commit 6e3af836805ed1d7a699f76ec798626198917aa4
	Issue introduced in 4.0 with commit a1d88436d53a75e950db15834b3d2f8c0c358fdc and fixed in 6.12.34 with commit 00ddc7dad55b7bbb78df80d6e174d0c4764dea0c
	Issue introduced in 4.0 with commit a1d88436d53a75e950db15834b3d2f8c0c358fdc and fixed in 6.15.3 with commit 75b5313c80c39a26d27cbb602f968a05576c36f9
	Issue introduced in 4.0 with commit a1d88436d53a75e950db15834b3d2f8c0c358fdc and fixed in 6.16-rc1 with commit 1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38102
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/misc/vmw_vmci/vmci_host.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043
	https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774
	https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4
	https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c
	https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9
	https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ