Bug 2365022 (CVE-2025-37818) - CVE-2025-37818 kernel: LoongArch: Return NULL from huge_pte_offset() for invalid PMD
Summary: CVE-2025-37818 kernel: LoongArch: Return NULL from huge_pte_offset() for inva...
Keywords:
Status: NEW
Alias: CVE-2025-37818
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-08 07:01 UTC by OSIDB Bzimport
Modified: 2025-05-08 11:21 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-08 07:01:57 UTC 
In the Linux kernel, the following vulnerability has been resolved:

LoongArch: Return NULL from huge_pte_offset() for invalid PMD

LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot
even if the underlying entry points to invalid_pte_table (indicating no
mapping). Callers like smaps_hugetlb_range() fetch this invalid entry
value (the address of invalid_pte_table) via this pointer.

The generic is_swap_pte() check then incorrectly identifies this address
as a swap entry on LoongArch, because it satisfies the "!pte_present()
&& !pte_none()" conditions. This misinterpretation, combined with a
coincidental match by is_migration_entry() on the address bits, leads to
kernel crashes in pfn_swap_entry_to_page().

Fix this at the architecture level by modifying huge_pte_offset() to
check the PMD entry's content using pmd_none() before returning. If the
entry is invalid (i.e., it points to invalid_pte_table), return NULL
instead of the pointer to the slot.
Comment 1 Avinash Hanwate 2025-05-08 11:17:45 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050819-CVE-2025-37818-1c09@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.