| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050945-CVE-2025-37885-a5d9@gregkh> Date: Fri, 9 May 2025 08:45:52 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-37885: KVM: x86: Reset IRTE to host control if *new* route isn't postable From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reset IRTE to host control if *new* route isn't postable Restore an IRTE back to host control (remapped or posted MSI mode) if the *new* GSI route prevents posting the IRQ directly to a vCPU, regardless of the GSI routing type. Updating the IRTE if and only if the new GSI is an MSI results in KVM leaving an IRTE posting to a vCPU. The dangling IRTE can result in interrupts being incorrectly delivered to the guest, and in the worst case scenario can result in use-after-free, e.g. if the VM is torn down, but the underlying host IRQ isn't freed. The Linux kernel CVE team has assigned CVE-2025-37885 to this issue. Affected and fixed versions =========================== Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 5.10.237 with commit e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769 Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 5.15.181 with commit 116c7d35b8f72eac383b9fd371d7c1a8ffc2968b Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.1.136 with commit 023816bd5fa46fab94d1e7917fe131b79ed1fb41 Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.6.89 with commit 3481fd96d801715942b6f69fe251133128156f30 Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.12.26 with commit b5de7ac74f69603ad803c524b840bffd36368fc3 Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.14.5 with commit 3066ec21d1a33896125747f68638725f456308db Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.15-rc4 with commit 9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-37885 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/x86/kvm/svm/avic.c arch/x86/kvm/vmx/posted_intr.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769 https://git.kernel.org/stable/c/116c7d35b8f72eac383b9fd371d7c1a8ffc2968b https://git.kernel.org/stable/c/023816bd5fa46fab94d1e7917fe131b79ed1fb41 https://git.kernel.org/stable/c/3481fd96d801715942b6f69fe251133128156f30 https://git.kernel.org/stable/c/b5de7ac74f69603ad803c524b840bffd36368fc3 https://git.kernel.org/stable/c/3066ec21d1a33896125747f68638725f456308db https://git.kernel.org/stable/c/9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2
Powered by blists - more mailing lists