Description

In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copy_from/to_kernel_nofault") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  5.5 MEDIUM

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065	Patch
https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3	Patch
https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c	Patch
https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8	Patch
https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b	Patch
https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0	Patch
https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54	Patch
https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-770	Allocation of Resources Without Limits or Throttling	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Configuration 1 ( hide )

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 4.13	Up to (excluding) 6.1.130
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 6.2	Up to (excluding) 6.6.80
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 6.7	Up to (excluding) 6.12.17
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 6.13	Up to (excluding) 6.13.5
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*    Show Matching CPE(s)

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

Initial Analysis by NIST 3/13/2025 5:13:14 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE		CWE-770
Added	CPE Configuration		Record truncated, showing 500 of 629 characters. View Entire Change Record OR *cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 from (excluding) 6.13.5 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 from (excluding) 6.6.80 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 from (e
Added	Reference Type		kernel.org: https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065 Types: Patch
Added	Reference Type		kernel.org: https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3 Types: Patch
Added	Reference Type		kernel.org: https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c Types: Patch
Added	Reference Type		kernel.org: https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8 Types: Patch
Added	Reference Type		kernel.org: https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b Types: Patch
Added	Reference Type		kernel.org: https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0 Types: Patch
Added	Reference Type		kernel.org: https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54 Types: Patch
Added	Reference Type		kernel.org: https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e Types: Patch

CVE Modified by kernel.org 3/13/2025 9:15:57 AM

Action	Type	Old Value	New Value
Added	Reference		https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c
Added	Reference		https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b
Added	Reference		https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e

New CVE Received from kernel.org 3/12/2025 6:15:19 AM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 3662 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=
Added	Reference		https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065
Added	Reference		https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3
Added	Reference		https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8
Added	Reference		https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0
Added	Reference		https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54