CVE-2025-38207

{"id": "CVE-2025-38207", "cveTags": [], "metrics": {}, "published": "2025-07-04T14:15:28.823", "references": [{"url": "https://git.kernel.org/stable/c/2b12d06c37fd3a394376f42f026a7478d826ed63", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/58b83b9a9a929611a2a2e7d88f45cb0d786b7ee0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix uprobe pte be overwritten when expanding vma\n\nPatch series \"Fix uprobe pte be overwritten when expanding vma\".\n\n\nThis patch (of 4):\n\nWe encountered a BUG alert triggered by Syzkaller as follows:\n BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1\n\nAnd we can reproduce it with the following steps:\n1. register uprobe on file at zero offset\n2. mmap the file at zero offset:\n addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0);\n3. mremap part of vma1 to new vma2:\n addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE);\n4. mremap back to orig addr1:\n mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1);\n\nIn step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2\nwith range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1\nto vma2, then unmap the vma1 range [addr1, addr1 + 4096].\n\nIn step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the\naddr range [addr1, addr1 + 4096]. Since the addr range [addr1 + 4096,\naddr1 + 8192] still maps the file, it will take vma_merge_new_range to\nexpand the range, and then do uprobe_mmap in vma_complete. Since the\nmerged vma pgoff is also zero offset, it will install uprobe anon page to\nthe merged vma. However, the upcomming move_page_tables step, which use\nset_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite\nthe newly uprobe pte in the merged vma, and lead that pte to be orphan.\n\nSince the uprobe pte will be remapped to the merged vma, we can remove the\nunnecessary uprobe_mmap upon merged vma.\n\nThis problem was first found in linux-6.6.y and also exists in the\ncommunity syzkaller:\nhttps://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: se corrige la sobrescritura del archivo uprobe al expandir vma. Serie de parches \"Corregir la sobrescritura del archivo uprobe al expandir vma\". Este parche (de 4): Se detect\u00f3 una alerta de error generada por Syzkaller: Error: Estado incorrecto del contador RSS mm:00000000b4a60fca tipo:MM_ANONPAGES val:1. Se puede reproducir con los siguientes pasos: 1. Registrar uprobe en el archivo con desplazamiento cero. 2. Asignar el archivo con mmap en el desplazamiento cero: addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0); 3. Asignar con mremap parte de vma1 al nuevo vma2: addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE); 4. mremap de vuelta a la direcci\u00f3n original 1: mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1); En el paso 3, el rango vma1 [addr1, addr1 + 4096] se reasignar\u00e1 a la nueva vma2 con rango [addr2, addr2 + 8192] y se reasignar\u00e1 la p\u00e1gina uprobe anon de vma1 a vma2, luego desasignar\u00e1 el rango vma1 [addr1, addr1 + 4096]. En el paso 4, el rango vma2 [addr2, addr2 + 4096] se reasignar\u00e1 de nuevo al rango addr [addr1, addr1 + 4096]. Dado que el rango de direcciones [addr1 + 4096, addr1 + 8192] a\u00fan asigna el archivo, se requerir\u00e1 vma_merge_new_range para expandir el rango y luego ejecutar uprobe_mmap en vma_complete. Dado que el desplazamiento de la p\u00e1gina de la vma fusionada tambi\u00e9n tiene desplazamiento cero, se instalar\u00e1 uprobe anon page en la vma fusionada. Sin embargo, el siguiente paso `move_page_tables`, que usa `set_pte_at` para reasignar la pte de uprobe vma2 a la vma fusionada, sobrescribir\u00e1 la nueva pte de uprobe en la vma fusionada y la dejar\u00e1 hu\u00e9rfana. Dado que la pte de uprobe se reasignar\u00e1 a la vma fusionada, podemos eliminar uprobe_mmap innecesario al fusionar la vma. Este problema se encontr\u00f3 por primera vez en linux-6.6.y y tambi\u00e9n existe en la comunidad syzkaller: https://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/"}], "lastModified": "2025-07-08T16:18:53.607", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}