CVE-2025-21696

In the Linux kernel, the following vulnerability has been resolved: mm: clear uffd-wp PTE/PMD state on mremap() When mremap()ing a memory region previously registered with userfaultfd as write-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in flag clearing leads to a mismatch between the vma flags (which have uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp cleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to trigger a warning in page_table_check_pte_flags() due to setting the pte to writable while uffd-wp is still set. Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any such mremap() so that the values are consistent with the existing clearing of VM_UFFD_WP. Be careful to clear the logical flag regardless of its physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE, huge PMD and hugetlb paths.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0cef0bb836e3cfe00f08f9606c72abd72fe78ca3	Patch
https://git.kernel.org/stable/c/310ac886d68de661c3a334198d8604b722d7fdf8	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc7::::::

History

14 Feb 2025, 15:42

Type	Values Removed	Values Added
First Time		Linux linux Kernel Linux
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:o:linux:linux_kernel:6.13:rc4:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.13:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc3::::::
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: borrar el estado PTE/PMD de uffd-wp en mremap() Al borrar con mremap() una región de memoria registrada previamente con userfaultfd como protegida contra escritura pero sin UFFD_FEATURE_EVENT_REMAP, una inconsistencia en la depuración de indicadores provoca una falta de coincidencia entre los indicadores vma (que tienen uffd-wp borrado) y los indicadores pte/pmd (que no tienen uffd-wp borrado). Esta falta de coincidencia hace que un mprotect(PROT_WRITE) posterior active una advertencia en page_table_check_pte_flags() debido a la configuración de pte como escribible mientras uffd-wp aún está configurado. Solucione esto borrando siempre explícitamente los indicadores pte/pmd de uffd-wp en cualquier mremap() de este tipo para que los valores sean coherentes con la depuración existente de VM_UFFD_WP. Tenga cuidado de borrar el indicador lógico independientemente de su forma física: un bit PTE, un bit PTE de intercambio o un marcador PTE. Cubra las rutas PTE, PMD enormes y TLB enormes.
References	~~() https://git.kernel.org/stable/c/0cef0bb836e3cfe00f08f9606c72abd72fe78ca3 -~~	() https://git.kernel.org/stable/c/0cef0bb836e3cfe00f08f9606c72abd72fe78ca3 - Patch
References	~~() https://git.kernel.org/stable/c/310ac886d68de661c3a334198d8604b722d7fdf8 -~~	() https://git.kernel.org/stable/c/310ac886d68de661c3a334198d8604b722d7fdf8 - Patch

12 Feb 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-12 14:15

Updated : 2025-02-14 15:42

NVD link : CVE-2025-21696

Mitre link : CVE-2025-21696

CVE.ORG link : CVE-2025-21696

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

5.5 /10