CVE-2025-40009

In the Linux kernel, the following vulnerability has been resolved:

fs/proc/taskmmu: check p->vecbuf for NULL

When the PAGEMAPSCAN ioctl is invoked with veclen = 0 reaches pagemapscanbackout_range(), kernel panics with null-ptr-deref:

[ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUGPAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemapscanthpentry.isra.0+0x741/0xa80

<snip registers, unreliable trace>

[ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemapscanpmdentry+0xec/0xfa0 [ 44.952593] walkpmdrange.isra.0+0x302/0x910 [ 44.954069] walkpudrange.isra.0+0x419/0x790 [ 44.954427] walkp4drange+0x41e/0x620 [ 44.954743] walkpgd_range+0x31e/0x630 [ 44.955057] __walkpagerange+0x160/0x670 [ 44.956883] walkpagerangemm+0x408/0x980 [ 44.958677] walkpagerange+0x66/0x90 [ 44.958984] dopagemapscan+0x28d/0x9c0 [ 44.961833] dopagemap_cmd+0x59/0x80 [ 44.962484] __x64sysioctl+0x18d/0x210 [ 44.962804] dosyscall64+0x5b/0x290 [ 44.963111] entrySYSCALL64afterhwframe+0x76/0x7e

veclen = 0 in pagemapscaninitbouncebuffer() means no buffers are allocated and p->vecbuf remains set to NULL.

This breaks an assumption made later in pagemapscanbackoutrange(), that pageregion is always allocated for p->vecbufindex.

Fix it by explicitly checking p->vec_buf for NULL before dereferencing.

Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf.

Note: From PAGEMAPSCAN man page, it seems veclen = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemapscanget_args().

This issue was found by syzkaller.