CVE-2025-40124
Description
In the Linux kernel, the following vulnerability has been resolved:
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy.
The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de
The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bug in SPARC copy_from_user/copy_to_user exception handlers on UltraSPARC III causes incorrect return values, leading to kernel memory corruption.
Vulnerability
Vulnerability
In the Linux kernel, a flaw in the SPARC architecture's copy_from_user and copy_to_user functions for UltraSPARC III processors causes exception handlers to return values that can be impossibly large—greater than the requested copy size. This occurs because exception handlers, which calculate remaining bytes after a fault, rely on register %o2 being masked during the bulk copy loop, but the masking step is performed after the loop completes. As a result, when a faulting copies return incorrect byte counts.
Exploitation
An attacker does not require authentication or special privileges; any user-space program that triggers a page fault during a copy operation can cause the kernel to return a wrong value. The bug is triggered when a user-space buffer is not fully accessible, the kernel's exception handler incorrectly computes the number of bytes not copied, leading to a value that may exceed the original length. This can be triggered by normal file operations, such as reading from ext4 filesystem with large folios enabled.
Impact
An attacker who can cause a copy_from_user to fault can make the kernel believe that more data was copied than actually was. This can lead to memory corruption in filesystem code (e.g., ext4) that trusts the return value, potentially causing data corruption or system crashes. The bug was discovered because it triggered a BUG_ON in ext4 code with large folios.
Mitigation
Patches are available in the stable kernel tree [1][2][3]. Users should update to the latest stable kernel version that includes the fix. No workaround is available; the only mitigation is to apply the kernel update.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
8fdd43fe6d2861198077606ae1857cdca12c491eda032eb16dc766c4830a75ef9c94d7110e50377c6b3f247b49c06eb62Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/1198077606aeffb102587c6ea079ce99641c99d4nvd
- git.kernel.org/stable/c/1857cdca12c4aff58bf26a7005a4d02850c29927nvd
- git.kernel.org/stable/c/47b49c06eb62504075f0f2e2227aee2e2c2a58b3nvd
- git.kernel.org/stable/c/5ef9c94d7110e90260c06868cf1dcf899b9f25eenvd
- git.kernel.org/stable/c/91eda032eb16e5d2be27c95584665bc555bb5a90nvd
- git.kernel.org/stable/c/dc766c4830a7e1e1ee9d7f77d4ab344f2eb23c8envd
- git.kernel.org/stable/c/e50377c6b3f278c9f3ef017ffce17f5fcc9dace4nvd
- git.kernel.org/stable/c/fdd43fe6d286f27b826572457a89c926f97e2d3anvd
News mentions
0No linked articles in our index yet.