Home

Description

In the Linux kernel, the following vulnerability has been resolved: arm64: mm: fix VA-range sanity check Both create_mapping_noalloc() and update_mapping_prot() sanity-check their 'virt' parameter, but the check itself doesn't make much sense. The condition used today appears to be a historical accident. The sanity-check condition: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } ... can only be true for the KASAN shadow region or the module region, and there's no reason to exclude these specifically for creating and updateing mappings. When arm64 support was first upstreamed in commit: c1cc1552616d0f35 ("arm64: MMU initialisation") ... the condition was: if (virt < VMALLOC_START) { [ ... warning here ... ] return; } At the time, VMALLOC_START was the lowest kernel address, and this was checking whether 'virt' would be translated via TTBR1. Subsequently in commit: 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") ... the condition was changed to: if ((virt >= VA_START) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } This appear to have been a thinko. The commit moved the linear map to the bottom of the kernel address space, with VMALLOC_START being at the halfway point. The old condition would warn for changes to the linear map below this, and at the time VA_START was the end of the linear map. Subsequently we cleaned up the naming of VA_START in commit: 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") ... keeping the erroneous condition as: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } Correct the condition to check against the start of the TTBR1 address space, which is currently PAGE_OFFSET. This simplifies the logic, and more clearly matches the "outside kernel range" message in the warning.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9d8d3df71516ec3236d8d93ff029d251377ba4b1
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 32020fc2a8373d3de35ae6d029d5969a42651e7a
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 621619f626cbe702ddbdc54117f3868b8ebd8129
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b03c7fcc5ed854d0e1b27e9abf12428bfa751a37
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ab9b4008092c86dc12497af155a0901cc1156999
affected

Default status
affected

5.4.251 (semver)
unaffected

5.10.188 (semver)
unaffected

5.15.150 (semver)
unaffected

6.4.7 (semver)
unaffected

6.5 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/9d8d3df71516ec3236d8d93ff029d251377ba4b1

git.kernel.org/...c/32020fc2a8373d3de35ae6d029d5969a42651e7a

git.kernel.org/...c/621619f626cbe702ddbdc54117f3868b8ebd8129

git.kernel.org/...c/b03c7fcc5ed854d0e1b27e9abf12428bfa751a37

git.kernel.org/...c/ab9b4008092c86dc12497af155a0901cc1156999

cve.org (CVE-2023-53989)

nvd.nist.gov (CVE-2023-53989)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.