CVE-2025-21724 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()
Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior.
The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type.
To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability CVE-2025-21724 represents a critical undefined behavior issue within the Linux kernel's iommufd/iova_bitmap subsystem that specifically affects the iova_bitmap_offset_to_index() function. This flaw exists in the kernel's memory management and IOMMU (Input-Output Memory Management Unit) functionality, which is essential for secure hardware virtualization and device memory access control. The vulnerability manifests as a shift-out-of-bounds condition that can lead to unpredictable system behavior and potential security exploits.
The technical root cause of this vulnerability lies in a type mismatch during bit shifting operations within the kernel's memory management code. The function iova_bitmap_offset_to_index() performs a left shift operation where the constant "1" is shifted by a value stored in bitmap->mapped.pgshift, which is defined as an unsigned long type. When pgshift exceeds 31 bits, the operation becomes problematic because the constant "1" is implicitly declared as a 32-bit signed integer, causing an overflow when the shift amount exceeds the maximum representable value in a 32-bit signed integer. This type of issue directly maps to CWE-195: Signed to Unsigned Conversion Error and CWE-194: Unsigned Integer Truncation, both of which are classified under the broader category of integer overflow vulnerabilities.
The operational impact of this vulnerability extends beyond simple undefined behavior to potentially compromise system stability and security. In environments utilizing IOMMU functionality for virtualization, containerization, or secure device access, this flaw could allow attackers to manipulate memory management operations and potentially escalate privileges or cause system crashes. The issue is particularly concerning in cloud computing environments and server virtualization platforms where IOMMU is extensively used for hardware isolation. The vulnerability can be exploited through malicious device drivers or kernel modules that trigger the specific code path involving iova_bitmap_offset_to_index(), representing a potential attack surface that aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation.
The fix for CVE-2025-21724 involves a straightforward but critical type promotion change that addresses the fundamental type mismatch in the bit shifting operation. By changing the constant "1" to "1UL", the code explicitly promotes the operand to an unsigned long type that matches the pgshift parameter's type, thereby preventing the undefined behavior that occurred when shifting by values exceeding 31 bits. This solution aligns with established secure coding practices and follows the principle of type safety in kernel development. The fix ensures that the bit shifting operation remains within defined behavior boundaries regardless of the page shift value, which can range from typical values up to the maximum supported by the hardware architecture. This remediation directly addresses the underlying security concern by preventing potential privilege escalation vectors and system instability that could arise from the undefined behavior in kernel memory management code. The resolution maintains backward compatibility while strengthening the kernel's memory management subsystem against potential exploitation scenarios.