CVE-2025-37957

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception<br /> <br /> Previously, commit ed129ec9057f ("KVM: x86: forcibly leave nested mode<br /> on vCPU reset") addressed an issue where a triple fault occurring in<br /> nested mode could lead to use-after-free scenarios. However, the commit<br /> did not handle the analogous situation for System Management Mode (SMM).<br /> <br /> This omission results in triggering a WARN when KVM forces a vCPU INIT<br /> after SHUTDOWN interception while the vCPU is in SMM. This situation was<br /> reprodused using Syzkaller by:<br /> <br /> 1) Creating a KVM VM and vCPU<br /> 2) Sending a KVM_SMI ioctl to explicitly enter SMM<br /> 3) Executing invalid instructions causing consecutive exceptions and<br /> eventually a triple fault<br /> <br /> The issue manifests as follows:<br /> <br /> WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112<br /> kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112<br /> Modules linked in:<br /> CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted<br /> 6.1.130-syzkaller-00157-g164fe5dde9b6 #0<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),<br /> BIOS 1.12.0-1 04/01/2014<br /> RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112<br /> Call Trace:<br /> <br /> shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136<br /> svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395<br /> svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457<br /> vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline]<br /> vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062<br /> kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283<br /> kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:870 [inline]<br /> __se_sys_ioctl fs/ioctl.c:856 [inline]<br /> __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> <br /> Architecturally, INIT is blocked when the CPU is in SMM, hence KVM&amp;#39;s WARN()<br /> in kvm_vcpu_reset() to guard against KVM bugs, e.g. to detect improper<br /> emulation of INIT. SHUTDOWN on SVM is a weird edge case where KVM needs to<br /> do _something_ sane with the VMCB, since it&amp;#39;s technically undefined, and<br /> INIT is the least awful choice given KVM&amp;#39;s ABI.<br /> <br /> So, double down on stuffing INIT on SHUTDOWN, and force the vCPU out of<br /> SMM to avoid any weirdness (and the WARN).<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.<br /> <br /> [sean: massage changelog, make it clear this isn&amp;#39;t architectural behavior]