cve-2025-37958
Vulnerability from cvelistv5
Published
2025-05-20 16:01
Modified
2025-06-27 10:21
Severity ?
EPSS score ?
Summary
mm/huge_memory: fix dereferencing invalid pmd migration entry
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "753f142f7ff7d2223a47105b61e1efd91587d711",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "9468afbda3fbfcec21ac8132364dff3dab945faf",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "ef5706bed97e240b4abf4233ceb03da7336bc775",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "22f6368768340260e862f35151d2e1c55cb1dc75",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "3977946f61cdba87b6b5aaf7d7094e96089583a5",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "6166c3cf405441f7147b322980144feb3cefc617",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "fbab262b0c8226c697af1851a424896ed47dedcc",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below. To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early. In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio. Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n\u003cTASK\u003e\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T10:21:21.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711"
},
{
"url": "https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf"
},
{
"url": "https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775"
},
{
"url": "https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75"
},
{
"url": "https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5"
},
{
"url": "https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617"
},
{
"url": "https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc"
},
{
"url": "https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7"
}
],
"title": "mm/huge_memory: fix dereferencing invalid pmd migration entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37958",
"datePublished": "2025-05-20T16:01:51.740Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2025-06-27T10:21:21.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-37958\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-20T16:15:34.027\",\"lastModified\":\"2025-06-27T11:15:25.057\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/huge_memory: fix dereferencing invalid pmd migration entry\\n\\nWhen migrating a THP, concurrent access to the PMD migration entry during\\na deferred split scan can lead to an invalid address access, as\\nillustrated below. To prevent this invalid access, it is necessary to\\ncheck the PMD migration entry and return early. In this context, there is\\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\\nequality of the target folio. Since the PMD migration entry is locked, it\\ncannot be served as the target.\\n\\nMailing list discussion and explanation from Hugh Dickins: \\\"An anon_vma\\nlookup points to a location which may contain the folio of interest, but\\nmight instead contain another folio: and weeding out those other folios is\\nprecisely what the \\\"folio != pmd_folio((*pmd)\\\" check (and the \\\"risk of\\nreplacing the wrong folio\\\" comment a few lines above it) is for.\\\"\\n\\nBUG: unable to handle page fault for address: ffffea60001db008\\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\\nCall Trace:\\n\u003cTASK\u003e\\ntry_to_migrate_one+0x28c/0x3730\\nrmap_walk_anon+0x4f6/0x770\\nunmap_folio+0x196/0x1f0\\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\\ndeferred_split_scan+0xac5/0x12a0\\nshrinker_debugfs_scan_write+0x376/0x470\\nfull_proxy_write+0x15c/0x220\\nvfs_write+0x2fc/0xcb0\\nksys_write+0x146/0x250\\ndo_syscall_64+0x6a/0x120\\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\nThe bug is found by syzkaller on an internal kernel, then confirmed on\\nupstream.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/huge_memory: se corrige la desreferenciaci\u00f3n de una entrada de migraci\u00f3n de PMD no v\u00e1lida. Al migrar un THP, el acceso simult\u00e1neo a la entrada de migraci\u00f3n de PMD durante un escaneo dividido diferido puede provocar un acceso no v\u00e1lido a una direcci\u00f3n, como se ilustra a continuaci\u00f3n. Para evitar este acceso no v\u00e1lido, es necesario comprobar la entrada de migraci\u00f3n de PMD y regresar antes. En este contexto, no es necesario usar pmd_to_swp_entry ni pfn_swap_entry_to_page para verificar la igualdad del folio de destino. Dado que la entrada de migraci\u00f3n de PMD est\u00e1 bloqueada, no puede servir como destino. Discusi\u00f3n y explicaci\u00f3n de Hugh Dickins en la lista de correo: \\\"Una b\u00fasqueda anon_vma apunta a una ubicaci\u00f3n que podr\u00eda contener el folio de inter\u00e9s, pero que en su lugar podr\u00eda contener otro folio: y eliminar esos otros folios es precisamente para lo que sirve la comprobaci\u00f3n \\\"folio != pmd_folio((*pmd)\\\" (y el comentario \\\"riesgo de reemplazar el folio equivocado\\\" unas l\u00edneas m\u00e1s arriba).\\\" ERROR: no se puede gestionar el fallo de p\u00e1gina para la direcci\u00f3n: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee No contaminado 6.14.0+ #4 NINGUNO Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010: pmd_enorme_divisi\u00f3n_bloqueada+0x3b5/0x2b60 Rastreo de llamadas: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e El error fue detectado por syzkaller en un kernel interno, y luego confirmado en upstream.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.