| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090522-CVE-2025-39726-8934@gregkh> Date: Fri, 5 Sep 2025 19:27:24 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39726: s390/ism: fix concurrency management in ism_cmd() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: s390/ism: fix concurrency management in ism_cmd() The s390x ISM device data sheet clearly states that only one request-response sequence is allowable per ISM function at any point in time. Unfortunately as of today the s390/ism driver in Linux does not honor that requirement. This patch aims to rectify that. This problem was discovered based on Aliaksei's bug report which states that for certain workloads the ISM functions end up entering error state (with PEC 2 as seen from the logs) after a while and as a consequence connections handled by the respective function break, and for future connection requests the ISM device is not considered -- given it is in a dysfunctional state. During further debugging PEC 3A was observed as well. A kernel message like [ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a is a reliable indicator of the stated function entering error state with PEC 2. Let me also point out that a kernel message like [ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery is a reliable indicator that the ISM function won't be auto-recovered because the ISM driver currently lacks support for it. On a technical level, without this synchronization, commands (inputs to the FW) may be partially or fully overwritten (corrupted) by another CPU trying to issue commands on the same function. There is hard evidence that this can lead to DMB token values being used as DMB IOVAs, leading to PEC 2 PCI events indicating invalid DMA. But this is only one of the failure modes imaginable. In theory even completely losing one command and executing another one twice and then trying to interpret the outputs as if the command we intended to execute was actually executed and not the other one is also possible. Frankly, I don't feel confident about providing an exhaustive list of possible consequences. The Linux kernel CVE team has assigned CVE-2025-39726 to this issue. Affected and fixed versions =========================== Issue introduced in 4.19 with commit 684b89bc39ce4f204b1a2b180f39f2eb36a6b695 and fixed in 6.6.101 with commit faf44487dfc80817f178dc8de7a0b73f960d019b Issue introduced in 4.19 with commit 684b89bc39ce4f204b1a2b180f39f2eb36a6b695 and fixed in 6.12.41 with commit 1194ad0d44d66b273a02a3a22882dc863a68d764 Issue introduced in 4.19 with commit 684b89bc39ce4f204b1a2b180f39f2eb36a6b695 and fixed in 6.15.9 with commit fafaa4982bedb5532f5952000f714a3e63023f40 Issue introduced in 4.19 with commit 684b89bc39ce4f204b1a2b180f39f2eb36a6b695 and fixed in 6.16 with commit 897e8601b9cff1d054cdd53047f568b0e1995726 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39726 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/s390/net/ism_drv.c include/linux/ism.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/faf44487dfc80817f178dc8de7a0b73f960d019b https://git.kernel.org/stable/c/1194ad0d44d66b273a02a3a22882dc863a68d764 https://git.kernel.org/stable/c/fafaa4982bedb5532f5952000f714a3e63023f40 https://git.kernel.org/stable/c/897e8601b9cff1d054cdd53047f568b0e1995726
Powered by blists - more mailing lists