CVE-2025-39992 (GCVE-0-2025-39992)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-10-15 07:58
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm: swap: check for stable address space before operating on the VMA It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000446--> Loading the memory from offset 0x40 on the XA_ZERO_ENTRY as address. Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault The issue is manifested from the below race between the fork() on a process and swapoff: fork(dup_mmap()) swapoff(unuse_mm) --------------- ----------------- 1) Identical mtree is built using __mt_dup(). 2) copy_pte_range()--> copy_nonpresent_pte(): The dst mm is added into the mmlist to be visible to the swapoff operation. 3) Fatal signal is sent to the parent process(which is the current during the fork) thus skip the duplication of the vmas and mark the vma range with XA_ZERO_ENTRY as a marker for this process that helps during exit_mmap(). 4) swapoff is tried on the 'mm' added to the 'mmlist' as part of the 2. 5) unuse_mm(), that iterates through the vma's of this 'mm' will hit the non-NULL zero entry and operating on this zero entry as a vma is resulting into the oops. The proper fix would be around not exposing this partially-valid tree to others when droping the mmap lock, which is being solved with [1]. A simpler solution would be checking for MMF_UNSTABLE, as it is set if mm_struct is not fully initialized in dup_mmap(). Thanks to Liam/Lorenzo/David for all the suggestions in fixing this issue.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1367da7eb875d01102d2ed18654b24d261ff5393
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9cddad3b26dac830407d2d3c0de5205ff6d6dda0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e4e99d69b8b8295c501b2eef89e13306b738b667
Impacted products
Vendor Product Version
Linux Linux Version: d2406291483775ecddaee929231a39c70c08fda2
Version: d2406291483775ecddaee929231a39c70c08fda2
Version: d2406291483775ecddaee929231a39c70c08fda2
Version: d2406291483775ecddaee929231a39c70c08fda2
 Create a notification for this product.
   Linux Linux Version: 6.8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/swapfile.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac",
              "status": "affected",
              "version": "d2406291483775ecddaee929231a39c70c08fda2",
              "versionType": "git"
            },
            {
              "lessThan": "9cddad3b26dac830407d2d3c0de5205ff6d6dda0",
              "status": "affected",
              "version": "d2406291483775ecddaee929231a39c70c08fda2",
              "versionType": "git"
            },
            {
              "lessThan": "e4e99d69b8b8295c501b2eef89e13306b738b667",
              "status": "affected",
              "version": "d2406291483775ecddaee929231a39c70c08fda2",
              "versionType": "git"
            },
            {
              "lessThan": "1367da7eb875d01102d2ed18654b24d261ff5393",
              "status": "affected",
              "version": "d2406291483775ecddaee929231a39c70c08fda2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/swapfile.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.51",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.11",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.1",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18-rc1",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: check for stable address space before operating on the VMA\n\nIt is possible to hit a zero entry while traversing the vmas in unuse_mm()\ncalled from swapoff path and accessing it causes the OOPS:\n\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000446--\u003e Loading the memory from offset 0x40 on the\nXA_ZERO_ENTRY as address.\nMem abort info:\n  ESR = 0x0000000096000005\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x05: level 1 translation fault\n\nThe issue is manifested from the below race between the fork() on a\nprocess and swapoff:\nfork(dup_mmap())\t\t\tswapoff(unuse_mm)\n---------------                         -----------------\n1) Identical mtree is built using\n   __mt_dup().\n\n2) copy_pte_range()--\u003e\n\tcopy_nonpresent_pte():\n       The dst mm is added into the\n    mmlist to be visible to the\n    swapoff operation.\n\n3) Fatal signal is sent to the parent\nprocess(which is the current during the\nfork) thus skip the duplication of the\nvmas and mark the vma range with\nXA_ZERO_ENTRY as a marker for this process\nthat helps during exit_mmap().\n\n\t\t\t\t     4) swapoff is tried on the\n\t\t\t\t\t\u0027mm\u0027 added to the \u0027mmlist\u0027 as\n\t\t\t\t\tpart of the 2.\n\n\t\t\t\t     5) unuse_mm(), that iterates\n\t\t\t\t\tthrough the vma\u0027s of this \u0027mm\u0027\n\t\t\t\t\twill hit the non-NULL zero entry\n\t\t\t\t\tand operating on this zero entry\n\t\t\t\t\tas a vma is resulting into the\n\t\t\t\t\toops.\n\nThe proper fix would be around not exposing this partially-valid tree to\nothers when droping the mmap lock, which is being solved with [1].  A\nsimpler solution would be checking for MMF_UNSTABLE, as it is set if\nmm_struct is not fully initialized in dup_mmap().\n\nThanks to Liam/Lorenzo/David for all the suggestions in fixing this\nissue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T07:58:17.927Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cddad3b26dac830407d2d3c0de5205ff6d6dda0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4e99d69b8b8295c501b2eef89e13306b738b667"
        },
        {
          "url": "https://git.kernel.org/stable/c/1367da7eb875d01102d2ed18654b24d261ff5393"
        }
      ],
      "title": "mm: swap: check for stable address space before operating on the VMA",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39992",
    "datePublished": "2025-10-15T07:58:17.927Z",
    "dateReserved": "2025-04-16T07:20:57.150Z",
    "dateUpdated": "2025-10-15T07:58:17.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39992\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-15T08:15:37.317\",\"lastModified\":\"2025-10-16T15:28:59.610\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: swap: check for stable address space before operating on the VMA\\n\\nIt is possible to hit a zero entry while traversing the vmas in unuse_mm()\\ncalled from swapoff path and accessing it causes the OOPS:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address\\n0000000000000446--\u003e Loading the memory from offset 0x40 on the\\nXA_ZERO_ENTRY as address.\\nMem abort info:\\n  ESR = 0x0000000096000005\\n  EC = 0x25: DABT (current EL), IL = 32 bits\\n  SET = 0, FnV = 0\\n  EA = 0, S1PTW = 0\\n  FSC = 0x05: level 1 translation fault\\n\\nThe issue is manifested from the below race between the fork() on a\\nprocess and swapoff:\\nfork(dup_mmap())\\t\\t\\tswapoff(unuse_mm)\\n---------------                         -----------------\\n1) Identical mtree is built using\\n   __mt_dup().\\n\\n2) copy_pte_range()--\u003e\\n\\tcopy_nonpresent_pte():\\n       The dst mm is added into the\\n    mmlist to be visible to the\\n    swapoff operation.\\n\\n3) Fatal signal is sent to the parent\\nprocess(which is the current during the\\nfork) thus skip the duplication of the\\nvmas and mark the vma range with\\nXA_ZERO_ENTRY as a marker for this process\\nthat helps during exit_mmap().\\n\\n\\t\\t\\t\\t     4) swapoff is tried on the\\n\\t\\t\\t\\t\\t\u0027mm\u0027 added to the \u0027mmlist\u0027 as\\n\\t\\t\\t\\t\\tpart of the 2.\\n\\n\\t\\t\\t\\t     5) unuse_mm(), that iterates\\n\\t\\t\\t\\t\\tthrough the vma\u0027s of this \u0027mm\u0027\\n\\t\\t\\t\\t\\twill hit the non-NULL zero entry\\n\\t\\t\\t\\t\\tand operating on this zero entry\\n\\t\\t\\t\\t\\tas a vma is resulting into the\\n\\t\\t\\t\\t\\toops.\\n\\nThe proper fix would be around not exposing this partially-valid tree to\\nothers when droping the mmap lock, which is being solved with [1].  A\\nsimpler solution would be checking for MMF_UNSTABLE, as it is set if\\nmm_struct is not fully initialized in dup_mmap().\\n\\nThanks to Liam/Lorenzo/David for all the suggestions in fixing this\\nissue.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1367da7eb875d01102d2ed18654b24d261ff5393\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9cddad3b26dac830407d2d3c0de5205ff6d6dda0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e4e99d69b8b8295c501b2eef89e13306b738b667\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.