CVE-2025-21866: Addressing a KASAN Hit in Linux Kernel PowerPC Code-Patching

A vulnerability in the Linux kernel has been resolved recently with the help of powerpc/code-patching. Kernel address sanitizer (KASAN) reported an issue while booting a PowerMac G4 with a KASAN-enabled kernel. As a result, it was discovered that the allocated memory area for text patching was flagged incorrectly.

Exploit Details

The KASAN report revealed an out-of-bounds write of size 8 at address f100000 caused by the chronyd task. This problem occurred due to the text patching area in PowerPC being flagged as VM_ALLOC, which is only meant to be used for vmalloc(). This went unnoticed until commit e4137f08816b, which instrumented copy_from/to_kernel_nofault.

Solution

The solution is to remove the VM_ALLOC flag from the allocated memory area for text patching. Instead, the area should be mapped directly on demand when needed by using map_kernel_page(). No VM corresponding flag is required for this usage. As a result, the allocated memory area will be unpoisoned and immediately usable.

Link to Original Reference: Linux Kernel Mailing List - Archive

Code Snippet

Allocating memory area without VM_ALLOC flag

// previous code
vm_area = get_vm_area(PAGE_SIZE * 2, VM_ALLOC | VM_NO_GUARD);

// new code
vm_area = get_vm_area(PAGE_SIZE * 2, );

Conclusion

This vulnerability (CVE-2025-21866) has been resolved by fixing the incorrect use of VM_ALLOC flag in the powerpc/code-patching area, which caused a KASAN hit during the boot process of a PowerMac G4. By using no flags for memory allocation, the issue is resolved, making the memory area usable immediately.

Timeline

Published on: 03/12/2025 10:15:19 UTC
Last modified on: 03/24/2025 15:41:37 UTC