Wind River Support Network

HomeDefectsLIN1024-12863
Acknowledged

LIN1024-12863 : Security Advisory - linux - CVE-2025-40008

Created: Oct 20, 2025    Updated: Oct 23, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]kmsan: fix out-of-bounds access to shadow memory[EOL][EOL]Running sha224_kunit on a KMSAN-enabled kernel results in a crash in[EOL]kmsan_internal_set_shadow_origin():[EOL][EOL]    BUG: unable to handle page fault for address: ffffbc3840291000[EOL]    #PF: supervisor read access in kernel mode[EOL]    #PF: error_code(0x0000) - not-present page[EOL]    PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0[EOL]    Oops: 0000 [#1] SMP NOPTI[EOL]    CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G                 N  6.17.0-rc3 #10 PREEMPT(voluntary)[EOL]    Tainted: [N]=TEST[EOL]    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014[EOL]    RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100[EOL]    [...][EOL]    Call Trace:[EOL]    <TASK>[EOL]    __msan_memset+0xee/0x1a0[EOL]    sha224_final+0x9e/0x350[EOL]    test_hash_buffer_overruns+0x46f/0x5f0[EOL]    ? kmsan_get_shadow_origin_ptr+0x46/0xa0[EOL]    ? __pfx_test_hash_buffer_overruns+0x10/0x10[EOL]    kunit_try_run_case+0x198/0xa00[EOL][EOL]This occurs when memset() is called on a buffer that is not 4-byte aligned[EOL]and extends to the end of a guard page, i.e.  the next page is unmapped.[EOL][EOL]The bug is that the loop at the end of kmsan_internal_set_shadow_origin()[EOL]accesses the wrong shadow memory bytes when the address is not 4-byte[EOL]aligned.  Since each 4 bytes are associated with an origin, it rounds the[EOL]address and size so that it can access all the origins that contain the[EOL]buffer.  However, when it checks the corresponding shadow bytes for a[EOL]particular origin, it incorrectly uses the original unrounded shadow[EOL]address.  This results in reads from shadow memory beyond the end of the[EOL]buffer's shadow memory, which crashes when that memory is not mapped.[EOL][EOL]To fix this, correctly align the shadow address before accessing the 4[EOL]shadow bytes corresponding to each origin.
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube