CVE-2025-21866 (GCVE-0-2025-21866)

Vulnerability from cvelistv5 – Published: 2025-03-12 09:42 – Updated: 2026-05-11 21:08
VLAI?
Title
powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC
Summary
In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copy_from/to_kernel_nofault") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 97de5852058a299ba447cd9782fe96488d30108b (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < f8d4c5b653c1bc0df56e15658bbf64fc359adc4e (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < c905a3053518212a1017e50bd2be3bee59305bb0 (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 2d542f13d26344e3452eee77613026ce9b653065 (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 8d06e9208184b2851fa79a3a39d6860320c8bdf8 (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 2e6c80423f201405fd65254e52decd21663896f3 (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < d262a192d38e527faa5984629aabda2e0d1c4f54 (git)
Create a notification for this product.
    Linux Linux Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.80 , ≤ 6.6.* (semver)
Unaffected: 6.12.17 , ≤ 6.12.* (semver)
Unaffected: 6.13.5 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21866",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:25:25.349170Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:36.847Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:23.377Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/lib/code-patching.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "97de5852058a299ba447cd9782fe96488d30108b",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "f8d4c5b653c1bc0df56e15658bbf64fc359adc4e",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "c905a3053518212a1017e50bd2be3bee59305bb0",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "2d542f13d26344e3452eee77613026ce9b653065",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "8d06e9208184b2851fa79a3a39d6860320c8bdf8",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "2e6c80423f201405fd65254e52decd21663896f3",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "d262a192d38e527faa5984629aabda2e0d1c4f54",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/lib/code-patching.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC\n\nErhard reported the following KASAN hit while booting his PowerMac G4\nwith a KASAN-enabled kernel 6.13-rc6:\n\n  BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8\n  Write of size 8 at addr f1000000 by task chronyd/1293\n\n  CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G        W          6.13.0-rc6-PMacG4 #2\n  Tainted: [W]=WARN\n  Hardware name: PowerMac3,6 7455 0x80010303 PowerMac\n  Call Trace:\n  [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)\n  [c24375b0] [c0504998] print_report+0xdc/0x504\n  [c2437610] [c050475c] kasan_report+0xf8/0x108\n  [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c\n  [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8\n  [c24376c0] [c004c014] patch_instructions+0x15c/0x16c\n  [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c\n  [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac\n  [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec\n  [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478\n  [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14\n  [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4\n  [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890\n  [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420\n  [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c\n  --- interrupt: c00 at 0x5a1274\n  NIP:  005a1274 LR: 006a3b3c CTR: 005296c8\n  REGS: c2437f40 TRAP: 0c00   Tainted: G        W           (6.13.0-rc6-PMacG4)\n  MSR:  0200f932 \u003cVEC,EE,PR,FP,ME,IR,DR,RI\u003e  CR: 24004422  XER: 00000000\n\n  GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932\n  GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57\n  GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002\n  GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001\n  NIP [005a1274] 0x5a1274\n  LR [006a3b3c] 0x6a3b3c\n  --- interrupt: c00\n\n  The buggy address belongs to the virtual mapping at\n   [f1000000, f1002000) created by:\n   text_area_cpu_up+0x20/0x190\n\n  The buggy address belongs to the physical page:\n  page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30\n  flags: 0x80000000(zone=2)\n  raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001\n  raw: 00000000\n  page dumped because: kasan: bad access detected\n\n  Memory state around the buggy address:\n   f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  \u003ef1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n             ^\n   f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n   f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ==================================================================\n\nf8 corresponds to KASAN_VMALLOC_INVALID which means the area is not\ninitialised hence not supposed to be used yet.\n\nPowerpc text patching infrastructure allocates a virtual memory area\nusing get_vm_area() and flags it as VM_ALLOC. But that flag is meant\nto be used for vmalloc() and vmalloc() allocated memory is not\nsupposed to be used before a call to __vmalloc_node_range() which is\nnever called for that area.\n\nThat went undetected until commit e4137f08816b (\"mm, kasan, kmsan:\ninstrument copy_from/to_kernel_nofault\")\n\nThe area allocated by text_area_cpu_up() is not vmalloc memory, it is\nmapped directly on demand when needed by map_kernel_page(). There is\nno VM flag corresponding to such usage, so just pass no flag. That way\nthe area will be unpoisonned and usable immediately."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:08:02.007Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54"
        }
      ],
      "title": "powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21866",
    "datePublished": "2025-03-12T09:42:22.587Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2026-05-11T21:08:02.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…