CVE-2025-23141
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2025
Last modified:
05/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses<br />
<br />
Acquire a lock on kvm->srcu when userspace is getting MP state to handle a<br />
rather extreme edge case where "accepting" APIC events, i.e. processing<br />
pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU<br />
is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP<br />
state will trigger a nested VM-Exit by way of ->check_nested_events(), and<br />
emuating the nested VM-Exit can access guest memory.<br />
<br />
The splat was originally hit by syzkaller on a Google-internal kernel, and<br />
reproduced on an upstream kernel by hacking the triple_fault_event_test<br />
selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a<br />
memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.<br />
<br />
=============================<br />
WARNING: suspicious RCU usage<br />
6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted<br />
-----------------------------<br />
include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!<br />
<br />
other info that might help us debug this:<br />
<br />
rcu_scheduler_active = 2, debug_locks = 1<br />
1 lock held by triple_fault_ev/1256:<br />
#0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]<br />
<br />
stack backtrace:<br />
CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x7f/0x90<br />
lockdep_rcu_suspicious+0x144/0x190<br />
kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]<br />
kvm_vcpu_read_guest+0x3e/0x90 [kvm]<br />
read_and_check_msr_entry+0x2e/0x180 [kvm_intel]<br />
__nested_vmx_vmexit+0x550/0xde0 [kvm_intel]<br />
kvm_check_nested_events+0x1b/0x30 [kvm]<br />
kvm_apic_accept_events+0x33/0x100 [kvm]<br />
kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]<br />
kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]<br />
__x64_sys_ioctl+0x8b/0xb0<br />
do_syscall_64+0x6c/0x170<br />
entry_SYSCALL_64_after_hwframe+0x4b/0x53<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.135 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.88 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.24 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.14 (including) | 6.14.3 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e
- https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44
- https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1
- https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be
- https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da
- https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html