CVE-2025-37761 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix an out-of-bounds shift when invalidating TLB
When the size of the range invalidated is larger than rounddown_pow_of_two(ULONG_MAX), The function macro roundup_pow_of_two(length) will hit an out-of-bounds shift [1].
Use a full TLB invalidation for such cases. v2: - Use a define for the range size limit over which we use a full TLB invalidation. (Lucas) - Use a better calculation of the limit.
[1]:
[ 39.202421] ------------[ cut here ]------------
[ 39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
[ 39.202673] shift exponent 64 is too large for 64-bit type 'long unsigned int'
[ 39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G U 6.14.0+ #10
[ 39.202690] Tainted: [U]=USER
[ 39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023
[ 39.202691] Call Trace:
[ 39.202692] <TASK>
[ 39.202695] dump_stack_lvl+0x6e/0xa0
[ 39.202699] ubsan_epilogue+0x5/0x30
[ 39.202701] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6
[ 39.202705] xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe]
[ 39.202800] ? find_held_lock+0x2b/0x80
[ 39.202803] ? mark_held_locks+0x40/0x70
[ 39.202806] xe_svm_invalidate+0x459/0x700 [xe]
[ 39.202897] drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm]
[ 39.202900] __mmu_notifier_release+0x1f5/0x270
[ 39.202905] exit_mmap+0x40e/0x450
[ 39.202912] __mmput+0x45/0x110
[ 39.202914] exit_mm+0xc5/0x130
[ 39.202916] do_exit+0x21c/0x500
[ 39.202918] ? lockdep_hardirqs_on_prepare+0xdb/0x190
[ 39.202920] do_group_exit+0x36/0xa0
[ 39.202922] get_signal+0x8f8/0x900
[ 39.202926] arch_do_signal_or_restart+0x35/0x100
[ 39.202930] syscall_exit_to_user_mode+0x1fc/0x290
[ 39.202932] do_syscall_64+0xa1/0x180
[ 39.202934] ? do_user_addr_fault+0x59f/0x8a0
[ 39.202937] ? lock_release+0xd2/0x2a0
[ 39.202939] ? do_user_addr_fault+0x5a9/0x8a0
[ 39.202942] ? trace_hardirqs_off+0x4b/0xc0
[ 39.202944] ? clear_bhb_loop+0x25/0x80
[ 39.202946] ? clear_bhb_loop+0x25/0x80
[ 39.202947] ? clear_bhb_loop+0x25/0x80
[ 39.202950] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 39.202952] RIP: 0033:0x7fa945e543e1
[ 39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7.
[ 39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293
[ 39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3
[ 39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff
[ 39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0
[ 39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[ 39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000
[ 39.202970] </TASK>
[ 39.202970] ---[ end trace ]---
(cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability CVE-2025-37761 resides within the Linux kernel's graphics subsystem, specifically in the Intel Xe graphics driver module. This issue stems from an improper handling of memory translation lookaside buffer (TLB) invalidation operations when dealing with large memory ranges. The flaw manifests when the size of a memory range being invalidated exceeds a certain threshold, triggering an out-of-bounds shift operation that leads to a kernel panic or system instability. The root cause lies in the function macro `roundup_pow_of_two(length)` which is designed to round memory sizes up to the next power of two, but fails when the input length surpasses `rounddown_pow_of_two(ULONG_MAX)`. This condition results in a shift operation that attempts to shift by an exponent exceeding the bit width of the target data type, specifically a 64-bit unsigned long integer in this case. The Universal Stack Unwinding Sanitizer (UBSAN) detects this violation and generates an error message indicating a shift-out-of-bounds condition, with the error occurring in the `log2.h` header file at line 57 where the shift operation is performed. The stack trace shows the error originates from the `xe_gt_tlb_invalidation_range` function within the xe driver module, which is called during GPU memory management operations, particularly when invalidating memory mappings through the `xe_svm_invalidate` function. This vulnerability directly maps to CWE-754, which describes the weakness of an uninitialized return value that could be exploited to cause unexpected behavior. The operational impact of this vulnerability is significant as it can lead to system crashes, denial of service conditions, and potentially allow for privilege escalation or information disclosure if exploited in a controlled environment. The attack surface is primarily limited to systems utilizing Intel Xe graphics hardware and running kernel versions containing the vulnerable code, though the broader impact extends to any application or process that triggers memory invalidation operations on GPU memory mappings. The fix implemented addresses this by introducing a threshold check that detects when the memory range size exceeds a safe limit and switches to a full TLB invalidation approach instead of the problematic power-of-two rounding operation. This mitigation strategy aligns with the ATT&CK framework's concept of privilege escalation through kernel exploits, specifically targeting the T1055.013 technique related to kernel module loading and manipulation. The solution also incorporates a define for the range size limit, enhancing code maintainability and making the threshold value configurable, while also employing a more robust calculation method for determining the safe boundary. This approach ensures that even in edge cases where memory ranges approach the maximum possible size, the system will not attempt invalid operations that could compromise system stability or security. The fix represents a defensive programming technique that prevents arithmetic overflow conditions in kernel space, which is critical given the privileged execution context and the potential for cascading failures when kernel memory management operations are compromised. The resolution demonstrates a careful balance between performance optimization and security robustness, ensuring that TLB invalidation operations remain efficient while preventing the kernel from executing potentially dangerous operations that could be exploited by malicious actors.