lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025040843-CVE-2025-22013-c885@gregkh>
Date: Tue,  8 Apr 2025 10:16:47 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-22013: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state

There are several problems with the way hyp code lazily saves the host's
FPSIMD/SVE state, including:

* Host SVE being discarded unexpectedly due to inconsistent
  configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to
  result in QEMU crashes where SVE is used by memmove(), as reported by
  Eric Auger:

  https://issues.redhat.com/browse/RHEL-68997

* Host SVE state is discarded *after* modification by ptrace, which was an
  unintentional ptrace ABI change introduced with lazy discarding of SVE state.

* The host FPMR value can be discarded when running a non-protected VM,
  where FPMR support is not exposed to a VM, and that VM uses
  FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR
  before unbinding the host's FPSIMD/SVE/SME state, leaving a stale
  value in memory.

Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME
state when loading a vCPU such that KVM does not need to save any of the
host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is
removed and the necessary call to fpsimd_save_and_flush_cpu_state() is
placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'
should not be used, they are set to NULL; all uses of these will be
removed in subsequent patches.

Historical problems go back at least as far as v5.17, e.g. erroneous
assumptions about TIF_SVE being clear in commit:

  8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving")

... and so this eager save+flush probably needs to be backported to ALL
stable trees.

The Linux kernel CVE team has assigned CVE-2025-22013 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.2 with commit 8c845e2731041f0fdf9287dea80b039b26332c9f and fixed in 6.6.85 with commit 806d5c1e1d2e5502175a24bf70f251648d99c36a
	Issue introduced in 6.2 with commit 8c845e2731041f0fdf9287dea80b039b26332c9f and fixed in 6.12.21 with commit 79e140bba70bcacc5fe15bf8c0b958793fd7d56f
	Issue introduced in 6.2 with commit 8c845e2731041f0fdf9287dea80b039b26332c9f and fixed in 6.13.9 with commit 900b444be493b7f404898c785d6605b177a093d0
	Issue introduced in 6.2 with commit 8c845e2731041f0fdf9287dea80b039b26332c9f and fixed in 6.14 with commit fbc7e61195e23f744814e78524b73b59faa54ab4

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22013
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	arch/arm64/kernel/fpsimd.c
	arch/arm64/kvm/fpsimd.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/806d5c1e1d2e5502175a24bf70f251648d99c36a
	https://git.kernel.org/stable/c/79e140bba70bcacc5fe15bf8c0b958793fd7d56f
	https://git.kernel.org/stable/c/900b444be493b7f404898c785d6605b177a093d0
	https://git.kernel.org/stable/c/fbc7e61195e23f744814e78524b73b59faa54ab4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ