fkie_cve-2025-68199
Vulnerability from fkie_nvd
Published
2025-12-16 14:15
Modified
2025-12-18 15:08
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1abbdf3d57aa964e572940d67c9ec5dc87710738
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3f56c407feb967e6faeb4e2e04eaa8edc206a686
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fc6acd4cddf76e7eb7db63649fe36980ce208f56
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncodetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext\n\nWhen alloc_slab_obj_exts() fails and then later succeeds in allocating a\nslab extension vector, it calls handle_failed_objexts_alloc() to mark all\nobjects in the vector as empty.  As a result all objects in this slab\n(slabA) will have their extensions set to CODETAG_EMPTY.\n\nLater on if this slabA is used to allocate a slabobj_ext vector for\nanother slab (slabB), we end up with the slabB-\u003eobj_exts pointing to a\nslabobj_ext vector that itself has a non-NULL slabobj_ext equal to\nCODETAG_EMPTY.  When slabB gets freed, free_slab_obj_exts() is called to\nfree slabB-\u003eobj_exts vector.  \n\nfree_slab_obj_exts() calls mark_objexts_empty(slabB-\u003eobj_exts) which will\ngenerate a warning because it expects slabobj_ext vectors to have a NULL\nobj_ext, not CODETAG_EMPTY.\n\nModify mark_objexts_empty() to skip the warning and setting the obj_ext\nvalue if it\u0027s already set to CODETAG_EMPTY.\n\n\nTo quickly detect this WARN, I modified the code from\nWARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1);\n\nWe then obtained this message:\n\n[21630.898561] ------------[ cut here ]------------\n[21630.898596] kernel BUG at mm/slub.c:2050!\n[21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 \nvhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap \nvhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace \nnetfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs \nblake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel \nudp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \nnf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink \nvirtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper \ndrm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi \nnet_failover virtio_console failover virtio_mmio dm_mirror \ndm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci \nvirtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 \naes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject]\n[21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: \nloaded Tainted: G\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 W\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 6.18.0-rc1+ #74 PREEMPT(voluntary)\n[21630.910495] Tainted: [W]=WARN\n[21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown \n2/2/2022\n[21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS \nBTYPE=--)\n[21630.912392] pc : __free_slab+0x228/0x250\n[21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : \nffff8000a02f73e0\n[21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: \nffff0000c0011c40\n[21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: \nffff000102199b40\n[21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: \nffff0000c0011c40\n[21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: \n0000000000000000\n[21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: \n0000000000000000\n[21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: \nffff70001405ee66\n[21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : \nffff800080a295dc\n[21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : \n0000000000003000\n[21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : \n0000000000000007\n[21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : \n0000000000000001\n[21630.921810] Call trace:\n[21630.922130]\u00a0 __free_slab+0x228/0x250 (P)\n[21630.922669]\u00a0 free_slab+0x38/0x118\n[21630.923079]\u00a0 free_to_partial_list+0x1d4/0x340\n[21630.923591]\u00a0 __slab_free+0x24c/0x348\n[21630.924024]\u00a0 ___cache_free+0xf0/0x110\n[21630.924468]\u00a0 qlist_free_all+0x78/0x130\n[21630.924922]\u00a0 kasan_quarantine_reduce+0x11\n---truncated---"
    }
  ],
  "id": "CVE-2025-68199",
  "lastModified": "2025-12-18T15:08:25.907",
  "metrics": {},
  "published": "2025-12-16T14:15:52.707",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1abbdf3d57aa964e572940d67c9ec5dc87710738"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3f56c407feb967e6faeb4e2e04eaa8edc206a686"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fc6acd4cddf76e7eb7db63649fe36980ce208f56"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.