| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025072512-CVE-2025-38434-ecdf@gregkh>
Date: Fri, 25 Jul 2025 16:32:13 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38434: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()"
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
Revert "riscv: Define TASK_SIZE_MAX for __access_ok()"
This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for
__access_ok()").
This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(),
because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some
computation.
The reasoning was that all user addresses are less than LONG_MAX, and all
kernel addresses are greater than LONG_MAX. Therefore access_ok() can
filter kernel addresses.
Addresses between TASK_SIZE and LONG_MAX are not valid user addresses, but
access_ok() let them pass. That was thought to be okay, because they are
not valid addresses at hardware level.
Unfortunately, one case is missed: get_user_pages_fast() happily accepts
addresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses
get_user_pages_fast(). This causes the problem reported by Robert [1].
Therefore, revert this commit. TASK_SIZE_MAX is changed to the default:
TASK_SIZE.
This unfortunately reduces performance, because TASK_SIZE is more expensive
to compute compared to LONG_MAX. But correctness first, we can think about
optimization later, if required.
The Linux kernel CVE team has assigned CVE-2025-38434 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.10 with commit ad5643cf2f699989daa85d909403febd6712fccb and fixed in 6.12.36 with commit fe30c30bf3bb68d4a4d8c7c814769857b5c973e6
Issue introduced in 6.10 with commit ad5643cf2f699989daa85d909403febd6712fccb and fixed in 6.15.5 with commit f8b1898748dfeb4f9b67b6a6d661f354b9de3523
Issue introduced in 6.10 with commit ad5643cf2f699989daa85d909403febd6712fccb and fixed in 6.16-rc4 with commit 890ba5be6335dbbbc99af14ea007befb5f83f174
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38434
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
arch/riscv/include/asm/pgtable.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/fe30c30bf3bb68d4a4d8c7c814769857b5c973e6
https://git.kernel.org/stable/c/f8b1898748dfeb4f9b67b6a6d661f354b9de3523
https://git.kernel.org/stable/c/890ba5be6335dbbbc99af14ea007befb5f83f174
Powered by blists - more mailing lists