CVE-2025-22091: Vulnerability in Linux Linux

Severity: highType: vulnerabilityCVE-2025-22091

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix page_size variable overflow Change all variables storing mlx5_umem_mkc_find_best_pgsz() result to unsigned long to support values larger than 31 and avoid overflow. For example: If we try to register 4GB of memory that is contiguous in physical memory, the driver will optimize the page_size and try to use an mkey with 4GB entity size. The 'unsigned int' page_size variable will overflow to '0' and we'll hit the WARN_ON() in alloc_cacheable_mr(). WARNING: CPU: 2 PID: 1203 at drivers/infiniband/hw/mlx5/mr.c:1124 alloc_cacheable_mr+0x22/0x580 [mlx5_ib] Modules linked in: mlx5_ib mlx5_core bonding ip6_gre ip6_tunnel tunnel6 ip_gre gre rdma_rxe rdma_ucm ib_uverbs ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm fuse ib_core [last unloaded: mlx5_core] CPU: 2 UID: 70878 PID: 1203 Comm: rdma_resource_l Tainted: G W 6.14.0-rc4-dirty #43 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:alloc_cacheable_mr+0x22/0x580 [mlx5_ib] Code: 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 41 52 53 48 83 ec 30 f6 46 28 04 4c 8b 77 08 75 21 <0f> 0b 49 c7 c2 ea ff ff ff 48 8d 65 d0 4c 89 d0 5b 41 5a 41 5c 41 RSP: 0018:ffffc900006ffac8 EFLAGS: 00010246 RAX: 0000000004c0d0d0 RBX: ffff888217a22000 RCX: 0000000000100001 RDX: 00007fb7ac480000 RSI: ffff8882037b1240 RDI: ffff8882046f0600 RBP: ffffc900006ffb28 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000007e0 R11: ffffea0008011d40 R12: ffff8882037b1240 R13: ffff8882046f0600 R14: ffff888217a22000 R15: ffffc900006ffe00 FS: 00007fb7ed013340(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb7ed1d8000 CR3: 00000001fd8f6006 CR4: 0000000000772eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x81/0x130 ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib] ? report_bug+0xfc/0x1e0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib] create_real_mr+0x54/0x150 [mlx5_ib] ib_uverbs_reg_mr+0x17f/0x2a0 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xca/0x140 [ib_uverbs] ib_uverbs_run_method+0x6d0/0x780 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ib_uverbs_cmd_verbs+0x19b/0x360 [ib_uverbs] ? walk_system_ram_range+0x79/0xd0 ? ___pte_offset_map+0x1b/0x110 ? __pte_offset_map_lock+0x80/0x100 ib_uverbs_ioctl+0xac/0x110 [ib_uverbs] __x64_sys_ioctl+0x94/0xb0 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fb7ecf0737b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 2a 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffdbe03ecc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffdbe03edb8 RCX: 00007fb7ecf0737b RDX: 00007ffdbe03eda0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffdbe03ed80 R08: 00007fb7ecc84010 R09: 00007ffdbe03eed4 R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffdbe03eed4 R13: 000000000000000c R14: 000000000000000c R15: 00007fb7ecc84150 </TASK>

AI Analysis

Technical Summary

CVE-2025-22091 is a vulnerability identified in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the Mellanox mlx5 InfiniBand driver (mlx5_ib). The flaw arises from an integer overflow in the handling of the page_size variable used during memory registration for RDMA operations. The mlx5_umem_mkc_find_best_pgsz() function returns a page size value that was originally stored in an 'unsigned int' variable, which is insufficient to hold values larger than 31 bits. When attempting to register a large contiguous physical memory region (e.g., 4GB), the page_size variable overflows to zero, triggering a WARN_ON() kernel warning in the alloc_cacheable_mr() function. This results in an invalid operation exception and potential kernel instability or crash. The root cause is the improper data type size for page_size, which was fixed by changing the variable to 'unsigned long' to accommodate larger values and prevent overflow. The vulnerability is located in the mlx5_ib kernel module, which is responsible for managing RDMA memory regions on Mellanox hardware. The kernel stack trace shows that the issue occurs during the creation of memory keys (mkeys) for RDMA memory registration, which is critical for high-performance networking in data centers and HPC environments. Although no known exploits are currently in the wild, the vulnerability could be triggered by a local user or process with RDMA privileges attempting to register large memory regions, potentially causing denial of service (DoS) through kernel crashes or instability. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but poses a risk to system availability and reliability in environments using Mellanox RDMA hardware with affected Linux kernel versions. The fix involves ensuring all variables storing the page size are of type 'unsigned long' to prevent overflow and maintain correct operation during memory registration.

Potential Impact

For European organizations, particularly those operating data centers, HPC clusters, or cloud infrastructure utilizing Linux servers with Mellanox RDMA hardware, this vulnerability could lead to system crashes or instability when handling large RDMA memory registrations. This may result in denial of service conditions affecting critical applications relying on high-speed RDMA networking, such as financial trading platforms, scientific computing, and large-scale virtualization environments. The impact is primarily on availability and operational continuity. Since RDMA is often used in performance-sensitive environments, any disruption could cause significant downtime and financial loss. Additionally, organizations with strict uptime requirements or those providing RDMA-enabled services may face reputational damage if affected by this vulnerability. However, the vulnerability requires local access and RDMA privileges, limiting the attack surface to trusted users or processes. Remote exploitation is unlikely without prior access. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the overflow condition.

Mitigation Recommendations

European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring the mlx5_ib driver uses 'unsigned long' for page_size variables. Specifically, kernel updates from the Linux vendor or distribution that address CVE-2025-22091 must be applied promptly. System administrators should audit RDMA usage and restrict access to RDMA device nodes and interfaces to trusted users only, minimizing the risk of accidental or malicious triggering. Implementing strict access controls and monitoring RDMA-related system calls can help detect anomalous behavior. For environments where immediate patching is not feasible, disabling RDMA support or the mlx5_ib driver temporarily may be considered to mitigate risk, though this will impact RDMA functionality. Additionally, organizations should monitor kernel logs for WARN_ON() messages related to alloc_cacheable_mr() as indicators of attempted exploitation or misconfiguration. Incorporating these mitigations into change management and vulnerability management processes will help maintain system stability and security.