[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025081902-CVE-2025-38554-b161@gregkh>
Date: Tue, 19 Aug 2025 19:18:01 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38554: mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped
By inducing delays in the right places, Jann Horn created a reproducer for
a hard to hit UAF issue that became possible after VMAs were allowed to be
recycled by adding SLAB_TYPESAFE_BY_RCU to their cache.
Race description is borrowed from Jann's discovery report:
lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under
rcu_read_lock(). At that point, the VMA may be concurrently freed, and it
can be recycled by another process. vma_start_read() then increments the
vma->vm_refcnt (if it is in an acceptable range), and if this succeeds,
vma_start_read() can return a recycled VMA.
In this scenario where the VMA has been recycled, lock_vma_under_rcu()
will then detect the mismatching ->vm_mm pointer and drop the VMA through
vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops
the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm.
This is wrong: It implicitly assumes that the caller is keeping the VMA's
mm alive, but in this scenario the caller has no relation to the VMA's mm,
so the rcuwait_wake_up() can cause UAF.
The diagram depicting the race:
T1 T2 T3
== == ==
lock_vma_under_rcu
mas_walk
<VMA gets removed from mm>
mmap
<the same VMA is reallocated>
vma_start_read
__refcount_inc_not_zero_limited_acquire
munmap
__vma_enter_locked
refcount_add_not_zero
vma_end_read
vma_refcount_put
__refcount_dec_and_test
rcuwait_wait_event
<finish operation>
rcuwait_wake_up [UAF]
Note that rcuwait_wait_event() in T3 does not block because refcount was
already dropped by T1. At this point T3 can exit and free the mm causing
UAF in T1.
To avoid this we move vma->vm_mm verification into vma_start_read() and
grab vma->vm_mm to stabilize it before vma_refcount_put() operation.
[surenb@...gle.com: v3]
The Linux kernel CVE team has assigned CVE-2025-38554 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.15 with commit 3104138517fc66aad21f4a2487bb572e9fc2e3ec and fixed in 6.15.10 with commit 6e88fe54721dee17d3496bc998f0c7d243896348
Issue introduced in 6.15 with commit 3104138517fc66aad21f4a2487bb572e9fc2e3ec and fixed in 6.16.1 with commit 1bcd236a2536a451e385f8d6d2bb589689ec812f
Issue introduced in 6.15 with commit 3104138517fc66aad21f4a2487bb572e9fc2e3ec and fixed in 6.17-rc1 with commit 9bbffee67ffd16360179327b57f3b1245579ef08
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38554
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
include/linux/mmap_lock.h
mm/mmap_lock.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/6e88fe54721dee17d3496bc998f0c7d243896348
https://git.kernel.org/stable/c/1bcd236a2536a451e385f8d6d2bb589689ec812f
https://git.kernel.org/stable/c/9bbffee67ffd16360179327b57f3b1245579ef08
Powered by blists - more mailing lists