cve-2025-37774
Vulnerability from cvelistv5
Published
2025-05-01 13:07
Modified
2025-05-01 13:07
Severity ?
EPSS score ?
Summary
slab: ensure slab->obj_exts is clear in a newly allocated slab page
References
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/slub.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8baa747193591410a853bac9c3710142dfa4937b", "status": "affected", "version": "21c690a349baab895dc68ab70d291e1598d7109d", "versionType": "git" }, { "lessThan": "28bef6622a1a874fe63aceeb0c684fab75afb3ae", "status": "affected", "version": "21c690a349baab895dc68ab70d291e1598d7109d", "versionType": "git" }, { "lessThan": "d2f5819b6ed357c0c350c0616b6b9f38be59adf6", "status": "affected", "version": "21c690a349baab895dc68ab70d291e1598d7109d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/slub.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.10" }, { "lessThan": "6.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.25", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.4", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15-rc3", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslab: ensure slab-\u003eobj_exts is clear in a newly allocated slab page\n\nktest recently reported crashes while running several buffered io tests\nwith __alloc_tagging_slab_alloc_hook() at the top of the crash call stack.\nThe signature indicates an invalid address dereference with low bits of\nslab-\u003eobj_exts being set. The bits were outside of the range used by\npage_memcg_data_flags and objext_flags and hence were not masked out\nby slab_obj_exts() when obtaining the pointer stored in slab-\u003eobj_exts.\nThe typical crash log looks like this:\n\n00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n00510 Mem abort info:\n00510 ESR = 0x0000000096000045\n00510 EC = 0x25: DABT (current EL), IL = 32 bits\n00510 SET = 0, FnV = 0\n00510 EA = 0, S1PTW = 0\n00510 FSC = 0x05: level 1 translation fault\n00510 Data abort info:\n00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000\n00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000\n00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n00510 Internal error: Oops: 0000000096000045 [#1] SMP\n00510 Modules linked in:\n00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE\n00510 Hardware name: linux,dummy-virt (DT)\n00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190\n00510 lr : __kmalloc_noprof+0x150/0x310\n00510 sp : ffffff80c87df6c0\n00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200\n00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001\n00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180\n00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000\n00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700\n00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006\n00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58\n00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556\n00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060\n00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000\n00510 Call trace:\n00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P)\n00510 __kmalloc_noprof+0x150/0x310\n00510 __bch2_folio_create+0x5c/0xf8\n00510 bch2_folio_create+0x2c/0x40\n00510 bch2_readahead+0xc0/0x460\n00510 read_pages+0x7c/0x230\n00510 page_cache_ra_order+0x244/0x3a8\n00510 page_cache_async_ra+0x124/0x170\n00510 filemap_readahead.isra.0+0x58/0xa0\n00510 filemap_get_pages+0x454/0x7b0\n00510 filemap_read+0xdc/0x418\n00510 bch2_read_iter+0x100/0x1b0\n00510 vfs_read+0x214/0x300\n00510 ksys_read+0x6c/0x108\n00510 __arm64_sys_read+0x20/0x30\n00510 invoke_syscall.constprop.0+0x54/0xe8\n00510 do_el0_svc+0x44/0xc8\n00510 el0_svc+0x18/0x58\n00510 el0t_64_sync_handler+0x104/0x130\n00510 el0t_64_sync+0x154/0x158\n00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881)\n00510 ---[ end trace 0000000000000000 ]---\n00510 Kernel panic - not syncing: Oops: Fatal exception\n00510 SMP: stopping secondary CPUs\n00510 Kernel Offset: disabled\n00510 CPU features: 0x0000,000000e0,00000410,8240500b\n00510 Memory Limit: none\n\nInvestigation indicates that these bits are already set when we allocate\nslab page and are not zeroed out after allocation. We are not yet sure\nwhy these crashes start happening only recently but regardless of the\nreason, not initializing a field that gets used later is wrong. Fix it\nby initializing slab-\u003eobj_exts during slab page allocation." } ], "providerMetadata": { "dateUpdated": "2025-05-01T13:07:13.593Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8baa747193591410a853bac9c3710142dfa4937b" }, { "url": "https://git.kernel.org/stable/c/28bef6622a1a874fe63aceeb0c684fab75afb3ae" }, { "url": "https://git.kernel.org/stable/c/d2f5819b6ed357c0c350c0616b6b9f38be59adf6" } ], "title": "slab: ensure slab-\u003eobj_exts is clear in a newly allocated slab page", "x_generator": { "engine": "bippy-1.1.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-37774", "datePublished": "2025-05-01T13:07:13.593Z", "dateReserved": "2025-04-16T04:51:23.939Z", "dateUpdated": "2025-05-01T13:07:13.593Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2025-37774\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T14:15:40.877\",\"lastModified\":\"2025-05-02T13:53:20.943\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nslab: ensure slab-\u003eobj_exts is clear in a newly allocated slab page\\n\\nktest recently reported crashes while running several buffered io tests\\nwith __alloc_tagging_slab_alloc_hook() at the top of the crash call stack.\\nThe signature indicates an invalid address dereference with low bits of\\nslab-\u003eobj_exts being set. The bits were outside of the range used by\\npage_memcg_data_flags and objext_flags and hence were not masked out\\nby slab_obj_exts() when obtaining the pointer stored in slab-\u003eobj_exts.\\nThe typical crash log looks like this:\\n\\n00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\\n00510 Mem abort info:\\n00510 ESR = 0x0000000096000045\\n00510 EC = 0x25: DABT (current EL), IL = 32 bits\\n00510 SET = 0, FnV = 0\\n00510 EA = 0, S1PTW = 0\\n00510 FSC = 0x05: level 1 translation fault\\n00510 Data abort info:\\n00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000\\n00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0\\n00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000\\n00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\\n00510 Internal error: Oops: 0000000096000045 [#1] SMP\\n00510 Modules linked in:\\n00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE\\n00510 Hardware name: linux,dummy-virt (DT)\\n00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\\n00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190\\n00510 lr : __kmalloc_noprof+0x150/0x310\\n00510 sp : ffffff80c87df6c0\\n00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200\\n00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001\\n00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180\\n00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000\\n00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700\\n00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006\\n00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58\\n00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556\\n00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060\\n00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000\\n00510 Call trace:\\n00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P)\\n00510 __kmalloc_noprof+0x150/0x310\\n00510 __bch2_folio_create+0x5c/0xf8\\n00510 bch2_folio_create+0x2c/0x40\\n00510 bch2_readahead+0xc0/0x460\\n00510 read_pages+0x7c/0x230\\n00510 page_cache_ra_order+0x244/0x3a8\\n00510 page_cache_async_ra+0x124/0x170\\n00510 filemap_readahead.isra.0+0x58/0xa0\\n00510 filemap_get_pages+0x454/0x7b0\\n00510 filemap_read+0xdc/0x418\\n00510 bch2_read_iter+0x100/0x1b0\\n00510 vfs_read+0x214/0x300\\n00510 ksys_read+0x6c/0x108\\n00510 __arm64_sys_read+0x20/0x30\\n00510 invoke_syscall.constprop.0+0x54/0xe8\\n00510 do_el0_svc+0x44/0xc8\\n00510 el0_svc+0x18/0x58\\n00510 el0t_64_sync_handler+0x104/0x130\\n00510 el0t_64_sync+0x154/0x158\\n00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881)\\n00510 ---[ end trace 0000000000000000 ]---\\n00510 Kernel panic - not syncing: Oops: Fatal exception\\n00510 SMP: stopping secondary CPUs\\n00510 Kernel Offset: disabled\\n00510 CPU features: 0x0000,000000e0,00000410,8240500b\\n00510 Memory Limit: none\\n\\nInvestigation indicates that these bits are already set when we allocate\\nslab page and are not zeroed out after allocation. We are not yet sure\\nwhy these crashes start happening only recently but regardless of the\\nreason, not initializing a field that gets used later is wrong. Fix it\\nby initializing slab-\u003eobj_exts during slab page allocation.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: slab: garantizar que slab-\u0026gt;obj_exts est\u00e9 libre en una p\u00e1gina slab reci\u00e9n asignada. ktest report\u00f3 recientemente fallos al ejecutar varias pruebas de E/S con buffer con __alloc_tagging_slab_alloc_hook() en la parte superior de la pila de llamadas de fallo. La firma indica una desreferencia de direcci\u00f3n no v\u00e1lida con bits bajos de slab-\u0026gt;obj_exts activados. Los bits estaban fuera del rango utilizado por page_memcg_data_flags y objext_flags, por lo que slab_obj_exts() no los enmascar\u00f3 al obtener el puntero almacenado en slab-\u0026gt;obj_exts. El registro de fallos t\u00edpico se ve as\u00ed: 00510 No se puede controlar la desreferencia del puntero NULL del n\u00facleo en la direcci\u00f3n virtual 0000000000000010 00510 Informaci\u00f3n de aborto de memoria: 00510 ESR = 0x0000000096000045 00510 EC = 0x25: DABT (current EL), IL = 32 bits 00510 SET = 0, FnV = 0 00510 EA = 0, S1PTW = 0 00510 FSC = 0x05: level 1 translation fault 00510 Data abort info: 00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000 00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000 00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 00510 Internal error: Oops: 0000000096000045 [#1] SMP 00510 Modules linked in: 00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE 00510 Hardware name: linux,dummy-virt (DT) 00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190 00510 lr : __kmalloc_noprof+0x150/0x310 00510 sp : ffffff80c87df6c0 00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200 00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001 00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180 00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000 00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700 00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006 00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58 00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556 00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060 00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000 00510 Call trace: 00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P) 00510 __kmalloc_noprof+0x150/0x310 00510 __bch2_folio_create+0x5c/0xf8 00510 bch2_folio_create+0x2c/0x40 00510 bch2_readahead+0xc0/0x460 00510 read_pages+0x7c/0x230 00510 page_cache_ra_order+0x244/0x3a8 00510 page_cache_async_ra+0x124/0x170 00510 filemap_readahead.isra.0+0x58/0xa0 00510 filemap_get_pages+0x454/0x7b0 00510 filemap_read+0xdc/0x418 00510 bch2_read_iter+0x100/0x1b0 00510 vfs_read+0x214/0x300 00510 ksys_read+0x6c/0x108 00510 __arm64_sys_read+0x20/0x30 00510 invoke_syscall.constprop.0+0x54/0xe8 00510 do_el0_svc+0x44/0xc8 00510 el0_svc+0x18/0x58 00510 el0t_64_sync_handler+0x104/0x130 00510 el0t_64_sync+0x154/0x158 00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881) 00510 ---[ end trace 0000000000000000 ]--- 00510 Kernel panic - not syncing: Oops: Fatal exception 00510 SMP: stopping secondary CPUs 00510 Kernel Offset: disabled 00510 CPU features: 0x0000,000000e0,00000410,8240500b 00510 L\u00edmite de memoria: ninguno. La investigaci\u00f3n indica que estos bits ya est\u00e1n configurados al asignar la p\u00e1gina slab y no se ponen a cero tras la asignaci\u00f3n. A\u00fan no sabemos con certeza por qu\u00e9 estos fallos han comenzado a ocurrir recientemente, pero independientemente del motivo, es incorrecto no inicializar un campo que se utiliza posteriormente. Para solucionarlo, inicialice slab-\u0026gt;obj_exts durante la asignaci\u00f3n de la p\u00e1gina slab.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/28bef6622a1a874fe63aceeb0c684fab75afb3ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8baa747193591410a853bac9c3710142dfa4937b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d2f5819b6ed357c0c350c0616b6b9f38be59adf6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.