CVE-2025-38434

In the Linux kernel, the following vulnerability has been resolved: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for __access_ok()"). This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(), because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some computation. The reasoning was that all user addresses are less than LONG_MAX, and all kernel addresses are greater than LONG_MAX. Therefore access_ok() can filter kernel addresses. Addresses between TASK_SIZE and LONG_MAX are not valid user addresses, but access_ok() let them pass. That was thought to be okay, because they are not valid addresses at hardware level. Unfortunately, one case is missed: get_user_pages_fast() happily accepts addresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses get_user_pages_fast(). This causes the problem reported by Robert [1]. Therefore, revert this commit. TASK_SIZE_MAX is changed to the default: TASK_SIZE. This unfortunately reduces performance, because TASK_SIZE is more expensive to compute compared to LONG_MAX. But correctness first, we can think about optimization later, if required.

CVSS

No CVSS.

References

Link	Resource
https://git.kernel.org/stable/c/890ba5be6335dbbbc99af14ea007befb5f83f174
https://git.kernel.org/stable/c/f8b1898748dfeb4f9b67b6a6d661f354b9de3523
https://git.kernel.org/stable/c/fe30c30bf3bb68d4a4d8c7c814769857b5c973e6

Configurations

No configuration.

History

25 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-25 15:15

Updated : 2025-07-25 15:29

NVD link : CVE-2025-38434

Mitre link : CVE-2025-38434

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://git.kernel.org/stable/c/890ba5be6335dbbbc99af14ea007befb5f83f174", "name": "https://git.kernel.org/stable/c/890ba5be6335dbbbc99af14ea007befb5f83f174", "tags": [], "refsource": ""}, {"url": "https://git.kernel.org/stable/c/f8b1898748dfeb4f9b67b6a6d661f354b9de3523", "name": "https://git.kernel.org/stable/c/f8b1898748dfeb4f9b67b6a6d661f354b9de3523", "tags": [], "refsource": ""}, {"url": "https://git.kernel.org/stable/c/fe30c30bf3bb68d4a4d8c7c814769857b5c973e6", "name": "https://git.kernel.org/stable/c/fe30c30bf3bb68d4a4d8c7c814769857b5c973e6", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"riscv: Define TASK_SIZE_MAX for __access_ok()\"\n\nThis reverts commit ad5643cf2f69 (\"riscv: Define TASK_SIZE_MAX for\n__access_ok()\").\n\nThis commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(),\nbecause the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some\ncomputation.\n\nThe reasoning was that all user addresses are less than LONG_MAX, and all\nkernel addresses are greater than LONG_MAX. Therefore access_ok() can\nfilter kernel addresses.\n\nAddresses between TASK_SIZE and LONG_MAX are not valid user addresses, but\naccess_ok() let them pass. That was thought to be okay, because they are\nnot valid addresses at hardware level.\n\nUnfortunately, one case is missed: get_user_pages_fast() happily accepts\naddresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses\nget_user_pages_fast(). This causes the problem reported by Robert [1].\n\nTherefore, revert this commit. TASK_SIZE_MAX is changed to the default:\nTASK_SIZE.\n\nThis unfortunately reduces performance, because TASK_SIZE is more expensive\nto compute compared to LONG_MAX. But correctness first, we can think about\noptimization later, if required."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-38434", "ASSIGNER": "cve@kernel.org"}}, "impact": {}, "publishedDate": "2025-07-25T15:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-07-25T15:29Z"}