CVE-2025-68737

Vulnerability

Description

The vulnerability resides in the arm64 implementation of __change_memory_common within the Linux kernel's pageattr subsystem. The function set_memory_ro and set_memory_rox are used to enforce read-only permissions on memory regions, a critical security measure when rodata=on is enabled. However, the return value from __change_memory_common was not properly propagated to callers, meaning that if the underlying operation failed—for example, due to conflicts with large block mappings introduced by commit a166563e7ec3 ("arm64: mm: support large block mapping when rodata=full")—the failure would be silently ignored [1]. This leaves memory in an unprotected state.

Attack

Surface and Exploitation

An attacker with the ability to trigger memory permission changes (e.g., through a vmalloc followed by a set_memory_ro call) could potentially force a failure in the backing function. If the error is suppressed, the memory region may remain writable despite the intended protection. This is especially dangerous when rodata=full is active, as large block mappings increase the likelihood of such failures. The attack requires code execution within the kernel, but no special privileges beyond those already needed to call the affected functions.

Impact

Successful exploitation allows an attacker to modify kernel read-only data structures, bypassing the security hardening provided by rodata=on. This could lead to privilege escalation, arbitrary code execution, or system compromise. The vulnerability undermines a fundamental memory protection mechanism in the arm64 Linux kernel.

Mitigation

The fix ensures that the return value from __change_memory_common is properly propagated to callers, allowing them to detect failures and take corrective action (e.g., aborting further operations or restoring protections). The patch is included in the stable kernel tree [1]. Users are advised to apply the latest stable kernel updates to mitigate this issue.