HIGH
kvm s390 gmap Memory Corruption
CVE-2025-71155
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks.
02KernelScan AI Analysis
Risk summary
A missing validation check in s390 KVM's guest memory management could allow memory corruption in virtual machines under memory pressure. An attacker with VM creation privileges could potentially corrupt guest memory by triggering specific swap conditions, leading to guest crashes or potential privilege escalation within the guest.
Vulnerability analysis
Root Cause: The gmap_helper_zap_one_page() function was missing critical checks on the PGSTE (Page Guest State Entry) flags before clearing page table entries and zapping softleaf entries. Specifically, it failed to verify that the page was marked as unused (_PGSTE_GPS_USAGE_UNUSED) or zero (_PGSTE_GPS_ZERO) before performing destructive operations on swap entries.
Attack Surface: This vulnerability affects KVM guests running on s390 architecture with memory pressure and swap usage. It requires local access to create KVM guests and trigger memory pressure conditions. The bug is specific to s390's guest memory management (gmap) subsystem and requires virtualization capabilities.
Fix Mechanism: The patch adds proper validation by checking the PGSTE value against _PGSTE_GPS_USAGE_MASK and _PGSTE_GPS_ZERO flags. The ptep_zap_softleaf_entry() and pte_clear() operations are now only performed when the page state indicates it's safe to do so, preventing corruption of guest memory when the page is still in active use.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.4 | 2af2abbcbf85 |
| mainline | 6.19 | 2f393c228cc5 |