CVE-2025-21866

In the Linux kernel, the following vulnerability has been resolved:

powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC

Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6:

BUG: KASAN: vmalloc-out-of-bounds in copytokernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293

CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dumpstacklvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] printreport+0xdc/0x504 [c2437610] [c050475c] kasanreport+0xf8/0x108 [c2437690] [c0505a3c] kasancheckrange+0x24/0x18c [c24376a0] [c03fb5e4] copytokernelnofault+0xd8/0x1c8 [c24376c0] [c004c014] patchinstructions+0x15c/0x16c [c2437710] [c00731a8] bpfarchtextcopy+0x60/0x7c [c2437730] [c0281168] bpfjitbinarypackfinalize+0x50/0xac [c2437750] [c0073cf4] bpfintjitcompile+0xb30/0xdec [c2437880] [c0280394] bpfprogselectruntime+0x15c/0x478 [c24378d0] [c1263428] bpfpreparefilter+0xbf8/0xc14 [c2437990] [c12677ec] bpfprogcreatefromuser+0x258/0x2b4 [c24379d0] [c027111c] doseccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] systemcallexception+0x2dc/0x420 [c2437f30] [c00281ac] retfromsyscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000

GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00

The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: textareacpu_up+0x20/0x190

The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================

f8 corresponds to KASANVMALLOCINVALID which means the area is not initialised hence not supposed to be used yet.

Powerpc text patching infrastructure allocates a virtual memory area using getvmarea() and flags it as VMALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to _vmallocnoderange() which is never called for that area.

That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copyfrom/tokernel_nofault")

The area allocated by textareacpuup() is not vmalloc memory, it is mapped directly on demand when needed by mapkernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.