CVE-2025-22015
EUVD-2025-1034608.04.2025, 09:15
In the Linux kernel, the following vulnerability has been resolved: mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping. In __folio_migrate_mapping(), to determine the number of xarray entries to update, folio_test_swapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xas_store() (see [1] for a userspace reproduction). Fix it by only using folio_test_swapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update. [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ Note: In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used to get swap_cache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at __xa_store(), since !folio_test_anon() is true and folio->mapping is NULL. But fortunately, its caller split_huge_page_to_list_to_order() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 6.1.71 ≤ 𝑥 < 6.1.132 |
| linux | linux_kernel | 6.6.10 ≤ 𝑥 < 6.6.85 |
| linux | linux_kernel | 6.7.1 ≤ 𝑥 < 6.12.21 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.13.9 |
| linux | linux_kernel | 6.7 |
| linux | linux_kernel | 6.7:rc8 |
| linux | linux_kernel | 6.14:rc1 |
| linux | linux_kernel | 6.14:rc2 |
| linux | linux_kernel | 6.14:rc3 |
| linux | linux_kernel | 6.14:rc4 |
| linux | linux_kernel | 6.14:rc5 |
| linux | linux_kernel | 6.14:rc6 |
| linux | linux_kernel | 6.14:rc7 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | V3.1.6 ≤ 𝑥 < * | ADP |
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | V3.1.6 ≤ 𝑥 < * | ADP |
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | V3.1.6 ≤ 𝑥 < * | ADP |
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | V3.1.6 ≤ 𝑥 < * | ADP |
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP | V3.1.6 ≤ 𝑥 < * | ADP |
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| kernel-64kb |
| ||||||||||||
| kernel-azure |
| ||||||||||||
| kernel-default |
| ||||||||||||
| kernel-default-base |
| ||||||||||||
| kernel-obs-build |
| ||||||||||||
| kernel-source |
| ||||||||||||
| kernel-source-azure |
| ||||||||||||
| kernel-zfcpdump |
|
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| bpftool |
| ||
| bpftool-debuginfo |
| ||
| kernel |
| ||
| kernel-debuginfo |
| ||
| kernel-debuginfo-common-aarch64 |
| ||
| kernel-debuginfo-common-x86_64 |
| ||
| kernel-devel |
| ||
| kernel-headers |
| ||
| kernel-libbpf |
| ||
| kernel-libbpf-debuginfo |
| ||
| kernel-libbpf-devel |
| ||
| kernel-libbpf-static |
| ||
| kernel-livepatch-6.1.132-147.221 |
| ||
| kernel-livepatch-6.12.22-27.96 |
| ||
| kernel-modules-extra |
| ||
| kernel-modules-extra-common |
| ||
| kernel-tools |
| ||
| kernel-tools-debuginfo |
| ||
| kernel-tools-devel |
| ||
| kernel6.12 |
| ||
| kernel6.12-debuginfo |
| ||
| kernel6.12-debuginfo-common-aarch64 |
| ||
| kernel6.12-debuginfo-common-x86_64 |
| ||
| kernel6.12-modules-extra |
| ||
| perf |
| ||
| perf-debuginfo |
| ||
| perf6.12 |
| ||
| perf6.12-debuginfo |
| ||
| python3-perf |
| ||
| python3-perf-debuginfo |
| ||
| python3-perf6.12 |
| ||
| python3-perf6.12-debuginfo |
|
Common Weakness Enumeration
References