一、漏洞信息
漏洞编号:[CVE-2025-39879](https://nvd.nist.gov/vuln/detail/CVE-2025-39879)
漏洞归属组件:[kernel](https://gitee.com/src-openeuler/kernel)
漏洞归属的版本:4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
CVSS V3.0分值:
BaseScore:N/A None
Vector:CVSS:3.0/
漏洞简述:
In the Linux kernel, the following vulnerability has been resolved:ceph: always call ceph_shift_unused_folios_left()The function ceph_process_folio_batch() sets folio_batch entries toNULL, which is an illegal state. Before folio_batch_release() crashesdue to this API violation, the function ceph_shift_unused_folios_left()is supposed to remove those NULLs from the array.However, since commit ce80b76dd327 ( ceph: introduceceph_process_folio_batch() method ), this shifting doesn t happenanymore because the for loop got moved to ceph_process_folio_batch(),and now the `i` variable that remains in ceph_writepages_start()doesn t get incremented anymore, making the shifting effectivelyunreachable much of the time.Later, commit 1551ec61dc55 ( ceph: introduce ceph_submit_write()method ) added more preconditions for doing the shift, replacing the`i` check (with something that is still just as broken):- if ceph_process_folio_batch() fails, shifting never happens- if ceph_move_dirty_page_in_page_array() was never called (because ceph_process_folio_batch() has returned early for some of various reasons), shifting never happens- if `processed_in_fbatch` is zero (because ceph_process_folio_batch() has returned early for some of the reasons mentioned above or because ceph_move_dirty_page_in_page_array() has failed), shifting never happensSince those two commits, any problem in ceph_process_folio_batch()could crash the kernel, e.g. this way: BUG: kernel NULL pointer dereference, address: 0000000000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP NOPTI CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023 Workqueue: writeback wb_workfn (flush-ceph-1) RIP: 0010:folios_put_refs+0x85/0x140 Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 > RSP: 0018:ffffb880af8db778 EFLAGS: 00010207 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003 RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0 RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0 R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000 FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ceph_writepages_start+0xeb9/0x1410The crash can be reproduced easily by changing theceph_check_page_before_write() return value to `-E2BIG`.(Interestingly, the crash happens only if `huge_zero_folio` hasalready been allocated; without `huge_zero_folio`,is_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULLentries instead of dereferencing them. That makes reproducing the bugsomewhat unreliable. Seehttps://lore.kernel.org/
漏洞公开时间:2025-09-23 14:15:47
漏洞创建时间:2025-09-23 14:36:30
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2025-39879
<details>
<summary>更多参考(点击展开)</summary>
| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| | https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2 | |
| | https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762 | |
| | https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39879-3ed2@gregkh/T/#u | |
| | https://security-tracker.debian.org/tracker/CVE-2025-39879 | |
| | https://www.cve.org/CVERecord?id=CVE-2025-39879 | |
| | https://nvd.nist.gov/vuln/detail/CVE-2025-39879 | |
| | https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39879-3ed2@gregkh/T | |
| | https://bugzilla.redhat.com/show_bug.cgi?id=2397557 | |
| | https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2 | |
| | https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762 | |
</details>
漏洞分析指导链接:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
七彩瞬析开源风险感知平台
漏洞补丁信息:
<details>
<summary>详情(点击展开)</summary>
| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |
| ------- | -------- | ------- | -------- | --------- |
| gregkh/linux | | https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2 | | ljqc |
| gregkh/linux | | https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762 | | ljqc |
| | | https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2 | | cvelistv5 |
| | | https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762 | | cvelistv5 |
| | | https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2 | | cnnvd |
| | | https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762 | | cnnvd |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:ceph: always call ceph_shift_unused_folios_left()The function ceph_process_folio_batch() sets folio_batch entries toNULL, which is an illegal state. Before folio_batch_release() crashesdue to this API violation, the function ceph_shift_unused_folios_left()is supposed to remove those NULLs from the array.However, since commit ce80b76dd327 ( ceph: introduceceph_process_folio_batch() method ), this shifting doesn t happenanymore because the for loop got moved to ceph_process_folio_batch(),and now the `i` variable that remains in ceph_writepages_start()doesn t get incremented anymore, making the shifting effectivelyunreachable much of the time.Later, commit 1551ec61dc55 ( ceph: introduce ceph_submit_write()method ) added more preconditions for doing the shift, replacing the`i` check (with something that is still just as broken):- if ceph_process_folio_batch() fails, shifting never happens- if ceph_move_dirty_page_in_page_array() was never called (because ceph_process_folio_batch() has returned early for some of various reasons), shifting never happens- if `processed_in_fbatch` is zero (because ceph_process_folio_batch() has returned early for some of the reasons mentioned above or because ceph_move_dirty_page_in_page_array() has failed), shifting never happensSince those two commits, any problem in ceph_process_folio_batch()could crash the kernel, e.g. this way: BUG: kernel NULL pointer dereference, address: 0000000000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP NOPTI CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023 Workqueue: writeback wb_workfn (flush-ceph-1) RIP: 0010:folios_put_refs+0x85/0x140 Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 > RSP: 0018:ffffb880af8db778 EFLAGS: 00010207 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003 RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0 RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0 R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000 FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ceph_writepages_start+0xeb9/0x1410The crash can be reproduced easily by changing theceph_check_page_before_write() return value to `-E2BIG`.(Interestingly, the crash happens only if `huge_zero_folio` hasalready been allocated; without `huge_zero_folio`,is_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULLentries instead of dereferencing them. That makes reproducing the bugsomewhat unreliable. See<a href= https://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com rel= nofollow >https://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com</a>for a discussion of this detail.)My suggestion is to move the ceph_shift_unused_folios_left() to rightafter ceph_process_folio_batch() to ensure it always gets called tofix up the illegal folio_batch state.The Linux kernel CVE team has assigned CVE-2025-39879 to this issue.
openEuler评分:
5.5
Vector:CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.master:不受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP3(5.10.0):不受影响
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响
5.openEuler-24.03-LTS(6.6.0):不受影响
6.openEuler-24.03-LTS-Next(6.6.0):不受影响
7.openEuler-24.03-LTS-SP1(6.6.0):不受影响
8.openEuler-24.03-LTS-SP2(6.6.0):不受影响
修复是否涉及abi变化(是/否):
1.master:否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.openEuler-22.03-LTS-SP4(5.10.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):否
原因说明:
1.master:不受影响-漏洞代码不能被攻击者触发
2.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
3.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在
4.openEuler-22.03-LTS-SP3(5.10.0):不受影响-漏洞代码不存在
5.openEuler-22.03-LTS-SP4(5.10.0):不受影响-漏洞代码不存在
6.openEuler-24.03-LTS(6.6.0):不受影响-漏洞代码不存在
7.openEuler-24.03-LTS-SP1(6.6.0):不受影响-漏洞代码不存在
8.openEuler-24.03-LTS-SP2(6.6.0):不受影响-漏洞代码不存在
openeuler-ci-bot
拥有者
