Overview
CVE-2025-40247 is a vulnerability discovered in the Linux kernel, specifically within the MSM (Qualcomm Innovation Center) DRM (Direct Rendering Manager) driver. This issue involves an error in the page table preallocation cleanup process, potentially leading to a kernel NULL pointer dereference and system crash. The vulnerability arises from a scenario where the msm_vma_job_free() function is called directly from an ioctl without a prior successful prealloc_allocate() call. This can trigger a cleanup operation on uninitialized memory, resulting in the crash. A patch has been released to address this issue.
Technical Details
The vulnerability occurs in the error path of the MSM DRM driver when handling I/O memory management unit (IOMMU) page tables. The error manifests as a NULL pointer dereference during the build_detached_freelist function, which is called within kmem_cache_free_bulk. The core issue is that the msm_iommu_pagetable_prealloc_cleanup function can be called without a corresponding successful msm_iommu_pagetable_prealloc, leading to operations on uninitialized or invalid memory regions. The provided kernel crash log highlights the specific location of the fault and the involved functions:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
Call trace:
build_detached_freelist+0x28/0x224 (P)
kmem_cache_free_bulk.part.0+0x38/0x244
kmem_cache_free_bulk+0x10/0x1c
msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0
msm_vma_job_free+0x30/0x240
msm_ioctl_vm_bind+0x1d0/0x9a0
drm_ioctl_kernel+0x84/0x104
drm_ioctl+0x358/0x4d4
__arm64_sys_ioctl+0x8c/0xe0
...
CVSS Analysis
Currently, a CVSS score is not available for CVE-2025-40247. The severity is marked as N/A. However, based on the nature of the vulnerability (kernel NULL pointer dereference leading to a system crash), it is likely to be classified as a high-severity issue. A CVSS score will be assigned based on exploitability and impact once analyzed. Given the potential for a denial-of-service (DoS) condition, the availability impact would be high.
Possible Impact
The primary impact of CVE-2025-40247 is a potential denial-of-service (DoS) condition. A malicious or buggy application that triggers the vulnerable code path in the MSM DRM driver could cause the kernel to crash, leading to a system halt. This is particularly relevant for systems using Qualcomm SoCs with the MSM DRM driver, such as mobile devices and embedded systems.
Mitigation or Patch Steps
The recommended mitigation is to apply the patch provided by the kernel developers. The fix involves ensuring that prealloc_cleanup() is only called after a successful prealloc_allocate(). The specific commits that address this vulnerability are:
- https://git.kernel.org/stable/c/830d68f2cb8ab6fb798bb9555016709a9e012af0
- https://git.kernel.org/stable/c/b865da18b6cb878f33b5920693d03f23b9c4d1a3
Users should update their kernels to a version that includes these patches or apply the patches manually to their existing kernel if a direct update is not immediately available. Distributions using the affected kernel versions will likely provide updated packages.
