DEBIAN-CVE-2026-23077

In the Linux kernel, the following vulnerability has been resolved:  mm/vma: fix anonvma UAF on mremap() faulted, unfaulted merge  Patch series "mm/vma: fix anonvma UAF on mremap() faulted, unfaulted merge", v2.  Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios.  However, it is handling merges incorrectly when it comes to mremap() of a faulted VMA adjacent to an unfaulted VMA.  The issues arise in three cases:  1. Previous VMA unfaulted:                copied -----|                           v |-----------|.............| | unfaulted |(faulted VMA)| |-----------|.............|      prev  2. Next VMA unfaulted:                copied -----|                           v             |.............|-----------|             |(faulted VMA)| unfaulted |                     |.............|-----------|                       next  3. Both adjacent VMAs unfaulted:                copied -----|                           v |-----------|.............|-----------| | unfaulted |(faulted VMA)| unfaulted | |-----------|.............|-----------|      prev                      next  This series fixes each of these cases, and introduces self tests to assert that the issues are corrected.  I also test a further case which was already handled, to assert that my changes continues to correctly handle it:  4. prev unfaulted, next faulted:                copied -----|                           v |-----------|.............|-----------| | unfaulted |(faulted VMA)|  faulted  | |-----------|.............|-----------|      prev                      next  This bug was discovered via a syzbot report, linked to in the first patch in the series, I confirmed that this series fixes the bug.  I also discovered that we are failing to check that the faulted VMA was not forked when merging a copied VMA in cases 1-3 above, an issue this series also addresses.  I also added self tests to assert that this is resolved (and confirmed that the tests failed prior to this).  I also cleaned up vmaexpand() as part of this work, renamed vmahaduncowedparents() to vmaisforkchild() as the previous name was unduly confusing, and simplified the comments around this function.   This patch (of 4):  Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios.  The key piece of logic introduced was the ability to merge a faulted VMA immediately next to an unfaulted VMA, which relies upon dupanonvma() to correctly handle anonvma state.  In the case of the merge of an existing VMA (that is changing properties of a VMA and then merging if those properties are shared by adjacent VMAs), dupanonvma() is invoked correctly.  However in the case of the merge of a new VMA, a corner case peculiar to mremap() was missed.  The issue is that vmaexpand() only performs dupanonvma() if the target (the VMA that will ultimately become the merged VMA): is not the next VMA, i.e.  the one that appears after the range in which the new VMA is to be established.  A key insight here is that in all other cases other than mremap(), a new VMA merge either expands an existing VMA, meaning that the target VMA will be that VMA, or would have anonvma be NULL.  Specifically:  * _mmapregion() - no anonvma in place, initial mapping.  dobrkflags() - expanding an existing VMA.  vmamergeextend() - expanding an existing VMA. * relocatevmadown() - no anonvma in place, initial mapping.  In addition, we are in the unique situation of needing to duplicate anonvma state from a VMA that is neither the previous or next VMA being merged with.  dupanon_vma() deals exclusively with the target=unfaulted, src=faulted case.  This leaves four possibilities, in each case where the copied VMA is faulted:  1. Previous VMA unfaulted:                copied -----|                         ---truncated---