CVE-2025-40336

Vulnerability

Overview

In the Linux kernel's drm/gpusvm component of the Linux kernel, the function hmm_pfn_to_map_order() fails to handle cases where the HMM (Heterogeneous Memory Management) range partially covers a huge page (e.g., a 2MB page). This can lead to mapping memory that lies outside the intended range, potentially including memory not even mapped by the process's mm_struct [1].

Exploitation

Context

The bug is triggered when a GPU SVM (Shared Virtual Memory) operation uses an HMM range that only partially overlaps a huge page. The flawed order calculation may cause the kernel to map the entire huge page instead of only the portion within the range, resulting in an out-of-bounds mapping. No special privileges beyond access to GPU SVM functionality are required; the attack surface is local, as the kernel component is accessible to users with GPU device access.

Impact

An attacker with local access and the ability to trigger GPU SVM operations could exploit this to map memory outside the intended range. This could lead to information disclosure (reading sensitive kernel or other process memory) or potentially privilege escalation if the mapped memory includes critical data structures. The vulnerability is similar to issues previously addressed in the xe driver's userptr code [1].

Mitigation

The fix, which aligns the gpusvm code with the xe userptr approach, has been committed to the stable kernel tree as of the referenced patch c50729c68aaf [1]. Users should apply the latest stable kernel updates to ensure the corrected hmm_pfn_to_map_order() logic is in place. No workaround is available; patching is required.