| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025040126-CVE-2025-21902-ce66@gregkh> Date: Tue, 1 Apr 2025 16:39:26 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21902: acpi: typec: ucsi: Introduce a ->poll_cci method Description =========== In the Linux kernel, the following vulnerability has been resolved: acpi: typec: ucsi: Introduce a ->poll_cci method For the ACPI backend of UCSI the UCSI "registers" are just a memory copy of the register values in an opregion. The ACPI implementation in the BIOS ensures that the opregion contents are synced to the embedded controller and it ensures that the registers (in particular CCI) are synced back to the opregion on notifications. While there is an ACPI call that syncs the actual registers to the opregion there is rarely a need to do this and on some ACPI implementations it actually breaks in various interesting ways. The only reason to force a sync from the embedded controller is to poll CCI while notifications are disabled. Only the ucsi core knows if this is the case and guessing based on the current command is suboptimal, i.e. leading to the following spurious assertion splat: WARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] CPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1 Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023 Workqueue: events_long ucsi_init_work [typec_ucsi] RIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] Call Trace: <TASK> ucsi_init_work+0x3c/0xac0 [typec_ucsi] process_one_work+0x179/0x330 worker_thread+0x252/0x390 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> Thus introduce a ->poll_cci() method that works like ->read_cci() with an additional forced sync and document that this should be used when polling with notifications disabled. For all other backends that presumably don't have this issue use the same implementation for both methods. The Linux kernel CVE team has assigned CVE-2025-21902 to this issue. Affected and fixed versions =========================== Issue introduced in 6.12.5 with commit c0ca6fd5f6ebde8fc0df8bb5c32629d1284f60d0 and fixed in 6.12.19 with commit 012b98cdb54c7d47743ee7fc402fa23f2d90529a Issue introduced in 6.13 with commit fa48d7e81624efdf398b990a9049e9cd75a5aead and fixed in 6.13.7 with commit 1aec5c9066965ac0984e385bbc31455ae31cbffc Issue introduced in 6.13 with commit fa48d7e81624efdf398b990a9049e9cd75a5aead and fixed in 6.14 with commit 976e7e9bdc7719a023a4ecccd2e3daec9ab20a40 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21902 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/typec/ucsi/ucsi.c drivers/usb/typec/ucsi/ucsi.h drivers/usb/typec/ucsi/ucsi_acpi.c drivers/usb/typec/ucsi/ucsi_ccg.c drivers/usb/typec/ucsi/ucsi_glink.c drivers/usb/typec/ucsi/ucsi_stm32g0.c drivers/usb/typec/ucsi/ucsi_yoga_c630.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/012b98cdb54c7d47743ee7fc402fa23f2d90529a https://git.kernel.org/stable/c/1aec5c9066965ac0984e385bbc31455ae31cbffc https://git.kernel.org/stable/c/976e7e9bdc7719a023a4ecccd2e3daec9ab20a40
Powered by blists - more mailing lists