CVE-2025-37960
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-37960
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37960.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-37960
- Downstream
- Related
- Published
- 2025-05-20T16:01:53Z
- Modified
- 2025-10-10T11:13:48.941560Z
- Summary
- memblock: Accept allocated memory before use in memblock_double_array()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
memblock: Accept allocated memory before use in memblockdoublearray()
When increasing the array size in memblockdoublearray() and the slab is not yet available, a call to memblockfindin_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which can result in a crash when booting an SNP guest:
RIP: 0010:memcpyorig+0x68/0x130 Code: ... RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006 RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000 RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00 RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000 R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78 R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00 memblockdoublearray+0xff/0x310 memblockaddrange+0x1fb/0x2f0 memblockreserve+0x4f/0xa0 memblockallocrangenid+0xac/0x130 memblockallocinternal+0x53/0xc0 memblockalloctrynid+0x3d/0xa0 swiotlbinitremap+0x149/0x2f0 meminit+0xb/0xb0 mmcoreinit+0x8f/0x350 startkernel+0x17e/0x5d0 x8664startreservations+0x14/0x30 x8664startkernel+0x92/0xa0 secondarystartup64noverify+0x194/0x19b
Mitigate this by calling accept_memory() on the memory range returned before the slab is available.
Prior to v6.12, the acceptmemory() interface used a 'start' and 'end' parameter instead of 'start' and 'size', therefore the acceptmemory() call must be adjusted to specify 'start + size' for 'end' when applying to kernels prior to v6.12.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/7bcd29181bab8d508d2adfdbb132de8b1e088698
- https://git.kernel.org/stable/c/aa513e69e011a2b19fa22ce62ce35effbd5e0c81
- https://git.kernel.org/stable/c/d66a22f6a432a9dd376c9b365d7dc89bd416909c
- https://git.kernel.org/stable/c/da8bf5daa5e55a6af2b285ecda460d6454712ff4
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddcdfdd40fa82b6704d2841938e5c8ec3051eb0d6Fixed7bcd29181bab8d508d2adfdbb132de8b1e088698
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddcdfdd40fa82b6704d2841938e5c8ec3051eb0d6Fixedd66a22f6a432a9dd376c9b365d7dc89bd416909c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddcdfdd40fa82b6704d2841938e5c8ec3051eb0d6Fixedaa513e69e011a2b19fa22ce62ce35effbd5e0c81
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddcdfdd40fa82b6704d2841938e5c8ec3051eb0d6Fixedda8bf5daa5e55a6af2b285ecda460d6454712ff4