CVE-2025-40008 (GCVE-0-2025-40008)

Vulnerability from cvelistv5 – Published: 2025-10-20 15:26 – Updated: 2025-10-20 15:26
VLAI?
Title
kmsan: fix out-of-bounds access to shadow memory
Summary
In the Linux kernel, the following vulnerability has been resolved: kmsan: fix out-of-bounds access to shadow memory Running sha224_kunit on a KMSAN-enabled kernel results in a crash in kmsan_internal_set_shadow_origin(): BUG: unable to handle page fault for address: ffffbc3840291000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) Tainted: [N]=TEST Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 [...] Call Trace: <TASK> __msan_memset+0xee/0x1a0 sha224_final+0x9e/0x350 test_hash_buffer_overruns+0x46f/0x5f0 ? kmsan_get_shadow_origin_ptr+0x46/0xa0 ? __pfx_test_hash_buffer_overruns+0x10/0x10 kunit_try_run_case+0x198/0xa00 This occurs when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page, i.e. the next page is unmapped. The bug is that the loop at the end of kmsan_internal_set_shadow_origin() accesses the wrong shadow memory bytes when the address is not 4-byte aligned. Since each 4 bytes are associated with an origin, it rounds the address and size so that it can access all the origins that contain the buffer. However, when it checks the corresponding shadow bytes for a particular origin, it incorrectly uses the original unrounded shadow address. This results in reads from shadow memory beyond the end of the buffer's shadow memory, which crashes when that memory is not mapped. To fix this, correctly align the shadow address before accessing the 4 shadow bytes corresponding to each origin.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 9ff078f5bad8990091f1639347de5e02636e9536 , < e6684ed39edc35401a3341f85b1ab50a6f89a45d (git)
Affected: 19e85d939001946671643f4c16e1de8c633a6ce0 , < df1fa034c0fc229a63d01ffb20bb919b839cb576 (git)
Affected: 2ef3cec44c60ae171b287db7fc2aa341586d65ba , < f84e48707051812289b6c2684d4df2daa9d3bfbc (git)
Affected: 2ef3cec44c60ae171b287db7fc2aa341586d65ba , < 5855792c6bb9a825607845db3feaddaff0414ec3 (git)
Affected: 2ef3cec44c60ae171b287db7fc2aa341586d65ba , < 85e1ff61060a765d91ee62dc5606d4d547d9d105 (git)
Affected: abeede7011da6c88e83ed260b909c140b8c9c250 (git)
Create a notification for this product.
    Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.1.155 , ≤ 6.1.* (semver)
Unaffected: 6.6.109 , ≤ 6.6.* (semver)
Unaffected: 6.12.50 , ≤ 6.12.* (semver)
Unaffected: 6.16.10 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/kmsan/core.c",
            "mm/kmsan/kmsan_test.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e6684ed39edc35401a3341f85b1ab50a6f89a45d",
              "status": "affected",
              "version": "9ff078f5bad8990091f1639347de5e02636e9536",
              "versionType": "git"
            },
            {
              "lessThan": "df1fa034c0fc229a63d01ffb20bb919b839cb576",
              "status": "affected",
              "version": "19e85d939001946671643f4c16e1de8c633a6ce0",
              "versionType": "git"
            },
            {
              "lessThan": "f84e48707051812289b6c2684d4df2daa9d3bfbc",
              "status": "affected",
              "version": "2ef3cec44c60ae171b287db7fc2aa341586d65ba",
              "versionType": "git"
            },
            {
              "lessThan": "5855792c6bb9a825607845db3feaddaff0414ec3",
              "status": "affected",
              "version": "2ef3cec44c60ae171b287db7fc2aa341586d65ba",
              "versionType": "git"
            },
            {
              "lessThan": "85e1ff61060a765d91ee62dc5606d4d547d9d105",
              "status": "affected",
              "version": "2ef3cec44c60ae171b287db7fc2aa341586d65ba",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "abeede7011da6c88e83ed260b909c140b8c9c250",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/kmsan/core.c",
            "mm/kmsan/kmsan_test.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.155",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.109",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.50",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.155",
                  "versionStartIncluding": "6.1.94",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.109",
                  "versionStartIncluding": "6.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.50",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.10",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.9.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkmsan: fix out-of-bounds access to shadow memory\n\nRunning sha224_kunit on a KMSAN-enabled kernel results in a crash in\nkmsan_internal_set_shadow_origin():\n\n    BUG: unable to handle page fault for address: ffffbc3840291000\n    #PF: supervisor read access in kernel mode\n    #PF: error_code(0x0000) - not-present page\n    PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0\n    Oops: 0000 [#1] SMP NOPTI\n    CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G                 N  6.17.0-rc3 #10 PREEMPT(voluntary)\n    Tainted: [N]=TEST\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n    RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100\n    [...]\n    Call Trace:\n    \u003cTASK\u003e\n    __msan_memset+0xee/0x1a0\n    sha224_final+0x9e/0x350\n    test_hash_buffer_overruns+0x46f/0x5f0\n    ? kmsan_get_shadow_origin_ptr+0x46/0xa0\n    ? __pfx_test_hash_buffer_overruns+0x10/0x10\n    kunit_try_run_case+0x198/0xa00\n\nThis occurs when memset() is called on a buffer that is not 4-byte aligned\nand extends to the end of a guard page, i.e.  the next page is unmapped.\n\nThe bug is that the loop at the end of kmsan_internal_set_shadow_origin()\naccesses the wrong shadow memory bytes when the address is not 4-byte\naligned.  Since each 4 bytes are associated with an origin, it rounds the\naddress and size so that it can access all the origins that contain the\nbuffer.  However, when it checks the corresponding shadow bytes for a\nparticular origin, it incorrectly uses the original unrounded shadow\naddress.  This results in reads from shadow memory beyond the end of the\nbuffer\u0027s shadow memory, which crashes when that memory is not mapped.\n\nTo fix this, correctly align the shadow address before accessing the 4\nshadow bytes corresponding to each origin."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-20T15:26:54.568Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e6684ed39edc35401a3341f85b1ab50a6f89a45d"
        },
        {
          "url": "https://git.kernel.org/stable/c/df1fa034c0fc229a63d01ffb20bb919b839cb576"
        },
        {
          "url": "https://git.kernel.org/stable/c/f84e48707051812289b6c2684d4df2daa9d3bfbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/5855792c6bb9a825607845db3feaddaff0414ec3"
        },
        {
          "url": "https://git.kernel.org/stable/c/85e1ff61060a765d91ee62dc5606d4d547d9d105"
        }
      ],
      "title": "kmsan: fix out-of-bounds access to shadow memory",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40008",
    "datePublished": "2025-10-20T15:26:54.568Z",
    "dateReserved": "2025-04-16T07:20:57.151Z",
    "dateUpdated": "2025-10-20T15:26:54.568Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40008\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-20T16:15:37.480\",\"lastModified\":\"2025-10-21T19:31:25.450\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkmsan: fix out-of-bounds access to shadow memory\\n\\nRunning sha224_kunit on a KMSAN-enabled kernel results in a crash in\\nkmsan_internal_set_shadow_origin():\\n\\n    BUG: unable to handle page fault for address: ffffbc3840291000\\n    #PF: supervisor read access in kernel mode\\n    #PF: error_code(0x0000) - not-present page\\n    PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0\\n    Oops: 0000 [#1] SMP NOPTI\\n    CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G                 N  6.17.0-rc3 #10 PREEMPT(voluntary)\\n    Tainted: [N]=TEST\\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\\n    RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100\\n    [...]\\n    Call Trace:\\n    \u003cTASK\u003e\\n    __msan_memset+0xee/0x1a0\\n    sha224_final+0x9e/0x350\\n    test_hash_buffer_overruns+0x46f/0x5f0\\n    ? kmsan_get_shadow_origin_ptr+0x46/0xa0\\n    ? __pfx_test_hash_buffer_overruns+0x10/0x10\\n    kunit_try_run_case+0x198/0xa00\\n\\nThis occurs when memset() is called on a buffer that is not 4-byte aligned\\nand extends to the end of a guard page, i.e.  the next page is unmapped.\\n\\nThe bug is that the loop at the end of kmsan_internal_set_shadow_origin()\\naccesses the wrong shadow memory bytes when the address is not 4-byte\\naligned.  Since each 4 bytes are associated with an origin, it rounds the\\naddress and size so that it can access all the origins that contain the\\nbuffer.  However, when it checks the corresponding shadow bytes for a\\nparticular origin, it incorrectly uses the original unrounded shadow\\naddress.  This results in reads from shadow memory beyond the end of the\\nbuffer\u0027s shadow memory, which crashes when that memory is not mapped.\\n\\nTo fix this, correctly align the shadow address before accessing the 4\\nshadow bytes corresponding to each origin.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5855792c6bb9a825607845db3feaddaff0414ec3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/85e1ff61060a765d91ee62dc5606d4d547d9d105\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/df1fa034c0fc229a63d01ffb20bb919b839cb576\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e6684ed39edc35401a3341f85b1ab50a6f89a45d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f84e48707051812289b6c2684d4df2daa9d3bfbc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.