CVE-2025-21866

In the Linux kernel, the following vulnerability has been resolved:

powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC

Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6:

BUG: KASAN: vmalloc-out-of-bounds in copytokernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293

CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dumpstacklvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] printreport+0xdc/0x504 [c2437610] [c050475c] kasanreport+0xf8/0x108 [c2437690] [c0505a3c] kasancheckrange+0x24/0x18c [c24376a0] [c03fb5e4] copytokernelnofault+0xd8/0x1c8 [c24376c0] [c004c014] patchinstructions+0x15c/0x16c [c2437710] [c00731a8] bpfarchtextcopy+0x60/0x7c [c2437730] [c0281168] bpfjitbinarypackfinalize+0x50/0xac [c2437750] [c0073cf4] bpfintjitcompile+0xb30/0xdec [c2437880] [c0280394] bpfprogselectruntime+0x15c/0x478 [c24378d0] [c1263428] bpfpreparefilter+0xbf8/0xc14 [c2437990] [c12677ec] bpfprogcreatefromuser+0x258/0x2b4 [c24379d0] [c027111c] doseccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] systemcallexception+0x2dc/0x420 [c2437f30] [c00281ac] retfromsyscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000

GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00

The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: textareacpu_up+0x20/0x190

The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================

f8 corresponds to KASANVMALLOCINVALID which means the area is not initialised hence not supposed to be used yet.

Powerpc text patching infrastructure allocates a virtual memory area using getvmarea() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmallocnoderange() which is never called for that area.

That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copyfrom/tokernel_nofault")

The area allocated by textareacpuup() is not vmalloc memory, it is mapped directly on demand when needed by mapkernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.