| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022607-CVE-2025-21779-f239@gregkh> Date: Wed, 26 Feb 2025 18:17:35 -0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21779: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Description =========== In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC. The Linux kernel CVE team has assigned CVE-2025-21779 to this issue. Affected and fixed versions =========================== Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.1.129 with commit 5393cf22312418262679eaadb130d608c75fe690 Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.6.79 with commit 874ff13c73c45ecb38cb82191e8c1d523f0dc81b Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.12.16 with commit aca8be4403fb90db7adaf63830e27ebe787a76e8 Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.13.4 with commit ca29f58ca374c40a0e69c5306fc5c940a0069074 Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.14-rc3 with commit a8de7f100bb5989d9c3627d3a223ee1c863f3b69 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21779 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/x86/kvm/hyperv.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690 https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8 https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074 https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69
Powered by blists - more mailing lists