| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111246-CVE-2025-40199-054c@gregkh> Date: Wed, 12 Nov 2025 17:01:02 -0500 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40199: page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Helge reported that the introduction of PP_MAGIC_MASK let to crashes on boot on his 32-bit parisc machine. The cause of this is the mask is set too wide, so the page_pool_page_is_pp() incurs false positives which crashes the machine. Just disabling the check in page_pool_is_pp() will lead to the page_pool code itself malfunctioning; so instead of doing this, this patch changes the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel pointers for page_pool-tagged pages. The fix relies on the kernel pointers that alias with the pp_magic field always being above PAGE_OFFSET. With this assumption, we can use the lowest bit of the value of PAGE_OFFSET as the upper bound of the PP_DMA_INDEX_MASK, which should avoid the false positives. Because we cannot rely on PAGE_OFFSET always being a compile-time constant, nor on it always being >0, we fall back to disabling the dma_index storage when there are not enough bits available. This leaves us in the situation we were in before the patch in the Fixes tag, but only on a subset of architecture configurations. This seems to be the best we can do until the transition to page types in complete for page_pool pages. v2: - Make sure there's at least 8 bits available and that the PAGE_OFFSET bit calculation doesn't wrap The Linux kernel CVE team has assigned CVE-2025-40199 to this issue. Affected and fixed versions =========================== Issue introduced in 6.12.34 with commit 4f51fb0d257ff4d406ec27966902de075e3b118e and fixed in 6.12.54 with commit 15b8a5b4cdc16e9a8bb2a548e12a0fd92997605a Issue introduced in 6.16 with commit ee62ce7a1d909ccba0399680a03c2dee83bcae95 and fixed in 6.17.4 with commit f62934cea32c8f7b11b747975d69bf5afe4264cf Issue introduced in 6.16 with commit ee62ce7a1d909ccba0399680a03c2dee83bcae95 and fixed in 6.18-rc1 with commit 95920c2ed02bde551ab654e9749c2ca7bc3100e0 Issue introduced in 6.15.3 with commit c30ae60f41f9edd6e1b5cad41cf28ce04dae39e4 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40199 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/linux/mm.h net/core/page_pool.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/15b8a5b4cdc16e9a8bb2a548e12a0fd92997605a https://git.kernel.org/stable/c/f62934cea32c8f7b11b747975d69bf5afe4264cf https://git.kernel.org/stable/c/95920c2ed02bde551ab654e9749c2ca7bc3100e0
Powered by blists - more mailing lists