| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090448-CVE-2025-38688-6e94@gregkh> Date: Thu, 4 Sep 2025 17:32:53 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38688: iommufd: Prevent ALIGN() overflow From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: iommufd: Prevent ALIGN() overflow When allocating IOVA the candidate range gets aligned to the target alignment. If the range is close to ULONG_MAX then the ALIGN() can wrap resulting in a corrupted iova. Open code the ALIGN() using get_add_overflow() to prevent this. This simplifies the checks as we don't need to check for length earlier either. Consolidate the two copies of this code under a single helper. This bug would allow userspace to create a mapping that overlaps with some other mapping or a reserved range. The Linux kernel CVE team has assigned CVE-2025-38688 to this issue. Affected and fixed versions =========================== Issue introduced in 6.2 with commit 51fe6141f0f64ae0bbc096a41a07572273e8c0ef and fixed in 6.6.103 with commit d19b817540c0abe84854a64ee9ee34cecc3bbeef Issue introduced in 6.2 with commit 51fe6141f0f64ae0bbc096a41a07572273e8c0ef and fixed in 6.12.43 with commit ebb6021560b94649bec6b8faba6fe0dca2218e81 Issue introduced in 6.2 with commit 51fe6141f0f64ae0bbc096a41a07572273e8c0ef and fixed in 6.15.11 with commit e42a046bb41dcdde4f766a17d8211842007ed537 Issue introduced in 6.2 with commit 51fe6141f0f64ae0bbc096a41a07572273e8c0ef and fixed in 6.16.2 with commit 79fad1917802c28de51a479318a056a6fbe3e2f2 Issue introduced in 6.2 with commit 51fe6141f0f64ae0bbc096a41a07572273e8c0ef and fixed in 6.17-rc1 with commit b42497e3c0e74db061eafad41c0cd7243c46436b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38688 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/iommu/iommufd/io_pagetable.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d19b817540c0abe84854a64ee9ee34cecc3bbeef https://git.kernel.org/stable/c/ebb6021560b94649bec6b8faba6fe0dca2218e81 https://git.kernel.org/stable/c/e42a046bb41dcdde4f766a17d8211842007ed537 https://git.kernel.org/stable/c/79fad1917802c28de51a479318a056a6fbe3e2f2 https://git.kernel.org/stable/c/b42497e3c0e74db061eafad41c0cd7243c46436b
Powered by blists - more mailing lists