CVE-2025-37922

一、漏洞信息
 漏洞编号：[CVE-2025-37922](https://nvd.nist.gov/vuln/detail/CVE-2025-37922)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：N/A None
  Vector：CVSS：3.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:book3s64/radix : Align section vmemmap start address to PAGE_SIZEA vmemmap altmap is a device-provided region used to providebacking storage for struct pages. For each namespace, the altmapshould belong to that same namespace. If the namespaces arecreated unaligned, there is a chance that the section vmemmapstart address could also be unaligned. If the section vmemmapstart address is unaligned, the altmap page allocated from thecurrent namespace might be used by the previous namespace also.During the free operation, since the altmap is shared between twonamespaces, the previous namespace may detect that the page doesnot belong to its altmap and incorrectly assume that the page is anormal page. It then attempts to free the normal page, which leadsto a kernel crash.Kernel attempted to read user page (18) - exploit attempt? (uid: 0)BUG: Kernel NULL pointer dereference on read at 0x00000018Faulting instruction address: 0xc000000000530c7cOops: Kernel access of bad area, sig: 11 [#1]LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeriesCPU: 32 PID: 2104 Comm: ndctl Kdump: loaded Tainted: G        WNIP:  c000000000530c7c LR: c000000000530e00 CTR: 0000000000007ffeREGS: c000000015e57040 TRAP: 0300   Tainted: G        WMSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 84482404CFAR: c000000000530dfc DAR: 0000000000000018 DSISR: 40000000 IRQMASK: 0GPR00: c000000000530e00 c000000015e572e0 c000000002c5cb00 c00c000101008040GPR04: 0000000000000000 0000000000000007 0000000000000001 000000000000001fGPR08: 0000000000000005 0000000000000000 0000000000000018 0000000000002000GPR12: c0000000001d2fb0 c0000060de6b0080 0000000000000000 c0000060dbf90020GPR16: c00c000101008000 0000000000000001 0000000000000000 c000000125b20f00GPR20: 0000000000000001 0000000000000000 ffffffffffffffff c00c000101007fffGPR24: 0000000000000001 0000000000000000 0000000000000000 0000000000000000GPR28: 0000000004040201 0000000000000001 0000000000000000 c00c000101008040NIP [c000000000530c7c] get_pfnblock_flags_mask+0x7c/0xd0LR [c000000000530e00] free_unref_page_prepare+0x130/0x4f0Call Trace:free_unref_page+0x50/0x1e0free_reserved_page+0x40/0x68free_vmemmap_pages+0x98/0xe0remove_pte_table+0x164/0x1e8remove_pmd_table+0x204/0x2c8remove_pud_table+0x1c4/0x288remove_pagetable+0x1c8/0x310vmemmap_free+0x24/0x50section_deactivate+0x28c/0x2a0__remove_pages+0x84/0x110arch_remove_memory+0x38/0x60memunmap_pages+0x18c/0x3d0devm_action_release+0x30/0x50release_nodes+0x68/0x140devres_release_group+0x100/0x190dax_pmem_compat_release+0x44/0x80 [dax_pmem_compat]device_for_each_child+0x8c/0x100[dax_pmem_compat_remove+0x2c/0x50 [dax_pmem_compat]nvdimm_bus_remove+0x78/0x140 [libnvdimm]device_remove+0x70/0xd0Another issue is that if there is no altmap, a PMD-sized vmemmappage will be allocated from RAM, regardless of the alignment ofthe section start address. If the section start address is notaligned to the PMD size, a VM_BUG_ON will be triggered whensetting the PMD-sized page to page table.In this patch, we are aligning the section vmemmap start addressto PAGE_SIZE. After alignment, the start address will not bepart of the current namespace, and a normal page will be allocatedfor the vmemmap mapping of the current section. For the remainingsections, altmaps will be allocated. During the free operation,the normal page will be correctly freed.In the same way, a PMD_SIZE vmemmap page will be allocated only ifthe section start address is PMD_SIZE-aligned; otherwise, it willfall back to a PAGE-sized vmemmap allocation.Without this patch==================NS1 start               NS2 start _________________________________________________________|         NS1               |            NS2              | ---------------------------------------------------------| Altmap| Altmap | .....|Altmap| Altmap | ...........|  NS1  |  NS1   ---truncated---
 漏洞公开时间：2025-05-21 00:15:28
 漏洞创建时间：2025-05-21 01:17:51
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2025-37922
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/400be767deaf31a073c6d14c5d151ae5ac2a60e2 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/7f5476d80f2cb364701cd1fa138a14b241ca99e9 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/9a8d4d7072d4df108479b1adc4b0840e96f6f61d |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/9cf7e13fecbab0894f6986fc6986ab2eba8de52e |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-37922 | https://bugzilla.suse.com/show_bug.cgi?id=1243481 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2025-37922 | https://bugzilla.suse.com/show_bug.cgi?id=1243481 |
| suse_bugzilla | https://git.kernel.org/stable/c/400be767deaf31a073c6d14c5d151ae5ac2a60e2 | https://bugzilla.suse.com/show_bug.cgi?id=1243481 |
| suse_bugzilla | https://git.kernel.org/stable/c/7f5476d80f2cb364701cd1fa138a14b241ca99e9 | https://bugzilla.suse.com/show_bug.cgi?id=1243481 |
| suse_bugzilla | https://git.kernel.org/stable/c/9a8d4d7072d4df108479b1adc4b0840e96f6f61d | https://bugzilla.suse.com/show_bug.cgi?id=1243481 |
| suse_bugzilla | https://git.kernel.org/stable/c/9cf7e13fecbab0894f6986fc6986ab2eba8de52e | https://bugzilla.suse.com/show_bug.cgi?id=1243481 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2025/CVE-2025-37922.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1243481 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2367548 | https://bugzilla.suse.com/show_bug.cgi?id=1243481 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2025052003-CVE-2025-37922-7cb7@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2367548 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2025-37922 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux_kernel | 6.6.90 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9a8d4d7072d4df108479b1adc4b0840e96f6f61d | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=368a0590d954a659b16ab945328ada0cc10f93a0 | linuxkernelcves |
| linux_kernel | 6.12.28 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7f5476d80f2cb364701cd1fa138a14b241ca99e9 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=368a0590d954a659b16ab945328ada0cc10f93a0 | linuxkernelcves |
| linux_kernel | 6.14.6 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=400be767deaf31a073c6d14c5d151ae5ac2a60e2 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=368a0590d954a659b16ab945328ada0cc10f93a0 | linuxkernelcves |
| linux_kernel | 6.15-rc5 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9cf7e13fecbab0894f6986fc6986ab2eba8de52e | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=368a0590d954a659b16ab945328ada0cc10f93a0 | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:book3s64/radix : Align section vmemmap start address to PAGE_SIZEA vmemmap altmap is a device-provided region used to providebacking storage for struct pages. For each namespace, the altmapshould belong to that same namespace. If the namespaces arecreated unaligned, there is a chance that the section vmemmapstart address could also be unaligned. If the section vmemmapstart address is unaligned, the altmap page allocated from thecurrent namespace might be used by the previous namespace also.During the free operation, since the altmap is shared between twonamespaces, the previous namespace may detect that the page doesnot belong to its altmap and incorrectly assume that the page is anormal page. It then attempts to free the normal page, which leadsto a kernel crash.Kernel attempted to read user page (18) - exploit attempt? (uid: 0)BUG: Kernel NULL pointer dereference on read at 0x00000018Faulting instruction address: 0xc000000000530c7cOops: Kernel access of bad area, sig: 11 [#1]LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeriesCPU: 32 PID: 2104 Comm: ndctl Kdump: loaded Tainted: G        WNIP:  c000000000530c7c LR: c000000000530e00 CTR: 0000000000007ffeREGS: c000000015e57040 TRAP: 0300   Tainted: G        WMSR:  800000000280b033 &lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE&gt;  CR: 84482404CFAR: c000000000530dfc DAR: 0000000000000018 DSISR: 40000000 IRQMASK: 0GPR00: c000000000530e00 c000000015e572e0 c000000002c5cb00 c00c000101008040GPR04: 0000000000000000 0000000000000007 0000000000000001 000000000000001fGPR08: 0000000000000005 0000000000000000 0000000000000018 0000000000002000GPR12: c0000000001d2fb0 c0000060de6b0080 0000000000000000 c0000060dbf90020GPR16: c00c000101008000 0000000000000001 0000000000000000 c000000125b20f00GPR20: 0000000000000001 0000000000000000 ffffffffffffffff c00c000101007fffGPR24: 0000000000000001 0000000000000000 0000000000000000 0000000000000000GPR28: 0000000004040201 0000000000000001 0000000000000000 c00c000101008040NIP [c000000000530c7c] get_pfnblock_flags_mask+0x7c/0xd0LR [c000000000530e00] free_unref_page_prepare+0x130/0x4f0Call Trace:free_unref_page+0x50/0x1e0free_reserved_page+0x40/0x68free_vmemmap_pages+0x98/0xe0remove_pte_table+0x164/0x1e8remove_pmd_table+0x204/0x2c8remove_pud_table+0x1c4/0x288remove_pagetable+0x1c8/0x310vmemmap_free+0x24/0x50section_deactivate+0x28c/0x2a0__remove_pages+0x84/0x110arch_remove_memory+0x38/0x60memunmap_pages+0x18c/0x3d0devm_action_release+0x30/0x50release_nodes+0x68/0x140devres_release_group+0x100/0x190dax_pmem_compat_release+0x44/0x80 [dax_pmem_compat]device_for_each_child+0x8c/0x100[dax_pmem_compat_remove+0x2c/0x50 [dax_pmem_compat]nvdimm_bus_remove+0x78/0x140 [libnvdimm]device_remove+0x70/0xd0Another issue is that if there is no altmap, a PMD-sized vmemmappage will be allocated from RAM, regardless of the alignment ofthe section start address. If the section start address is notaligned to the PMD size, a VM_BUG_ON will be triggered whensetting the PMD-sized page to page table.In this patch, we are aligning the section vmemmap start addressto PAGE_SIZE. After alignment, the start address will not bepart of the current namespace, and a normal page will be allocatedfor the vmemmap mapping of the current section. For the remainingsections, altmaps will be allocated. During the free operation,the normal page will be correctly freed.In the same way, a PMD_SIZE vmemmap page will be allocated only ifthe section start address is PMD_SIZE-aligned; otherwise, it willfall back to a PAGE-sized vmemmap allocation.Without this patch==================NS1 start               NS2 start _________________________________________________________|         NS1               |            NS2              | ---------------------------------------------------------| Altmap| Altmap | .....|Altmap| Altmap | ...........|  NS1  |  NS1   |      | NS2  |  NS2   |In the above scenario, NS1 and NS2 are two namespaces. The vmemmapfor NS1 comes from Altmap NS1, which belongs to NS1, and thevmemmap for NS2 comes from Altmap NS2, which belongs to NS2.The vmemmap start for NS2 is not aligned, so Altmap NS2 is sharedby both NS1 and NS2. During the free operation in NS1, Altmap NS2is not part of NS1&#39;s altmap, causing it to attempt to free aninvalid page.With this patch===============NS1 start               NS2 start _________________________________________________________|         NS1               |            NS2              | ---------------------------------------------------------| Altmap| Altmap | .....| Normal | Altmap | Altmap |.......|  NS1  |  NS1   |      |  Page  |  NS2   |  NS2   |If the vmemmap start for NS2 is not aligned then we are allocatinga normal page. NS1 and NS2 vmemmap will be freed correctly.The Linux kernel CVE team has assigned CVE-2025-37922 to this issue.
 openEuler评分：
  3.9
 Vector：CVSS：3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
 受影响版本排查(受影响/不受影响)：
  1.master(6.6.0):不受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP3(5.10.0):不受影响
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响
5.openEuler-24.03-LTS(6.6.0):不受影响
6.openEuler-24.03-LTS-Next(6.6.0):不受影响
7.openEuler-24.03-LTS-SP1(6.6.0):不受影响
8.openEuler-24.03-LTS-SP2(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.master(6.6.0):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.openEuler-22.03-LTS-SP4(5.10.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):否

原因说明：
  1.openEuler-24.03-LTS(6.6.0):不受影响-组件不存在
2.openEuler-24.03-LTS-SP1(6.6.0):不受影响-组件不存在
3.openEuler-24.03-LTS-SP2(6.6.0):不受影响-组件不存在
4.master(6.6.0):不受影响-漏洞代码不能被攻击者触发
5.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
6.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在
7.openEuler-22.03-LTS-SP3(5.10.0):不受影响-漏洞代码不存在
8.openEuler-22.03-LTS-SP4(5.10.0):不受影响-漏洞代码不存在

src-openEuler/kernel

内容风险标识

评论 (5)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2025-37922

评论 (5)

搜索帮助

src-openEuler/kernel