CVE-2025-39936

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()<br /> <br /> When<br /> <br /> 9770b428b1a2 ("crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown")<br /> <br /> moved the error messages dumping so that they don&amp;#39;t need to be issued by<br /> the callers, it missed the case where __sev_firmware_shutdown() calls<br /> __sev_platform_shutdown_locked() with a NULL argument which leads to<br /> a NULL ptr deref on the shutdown path, during suspend to disk:<br /> <br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)<br /> Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022<br /> RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]<br /> <br /> That rIP is:<br /> <br /> 00000000000006fd :<br /> 6fd: 8b 13 mov (%rbx),%edx<br /> 6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi<br /> 703: 89 c1 mov %eax,%ecx<br /> <br /> Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e<br /> RSP: 0018:ffffc90005467d00 EFLAGS: 00010282<br /> RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000<br /> ^^^^^^^^^^^^^^^^<br /> and %rbx is nice and clean.<br /> <br /> Call Trace:<br /> <br /> __sev_firmware_shutdown.isra.0<br /> sev_dev_destroy<br /> psp_dev_destroy<br /> sp_destroy<br /> pci_device_shutdown<br /> device_shutdown<br /> kernel_power_off<br /> hibernate.cold<br /> state_store<br /> kernfs_fop_write_iter<br /> vfs_write<br /> ksys_write<br /> do_syscall_64<br /> entry_SYSCALL_64_after_hwframe<br /> <br /> Pass in a pointer to the function-local error var in the caller.<br /> <br /> With that addressed, suspending the ccp shows the error properly at<br /> least:<br /> <br /> ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP<br /> ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110<br /> SEV-SNP: Leaking PFN range 0x146800-0x146a00<br /> SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00]<br /> ...<br /> ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0<br /> ACPI: PM: Preparing to enter system sleep state S5<br /> kvm: exiting hardware virtualization<br /> reboot: Power down<br /> <br /> Btw, this driver is crying to be cleaned up to pass in a proper I/O<br /> struct which can be used to store information between the different<br /> functions, otherwise stuff like that will happen in the future again.