CVE-2025-40026
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/10/2025
Última modificación:
30/10/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: x86: Don&#39;t (re)check L1 intercepts when completing userspace I/O<br />
<br />
When completing emulation of instruction that generated a userspace exit<br />
for I/O, don&#39;t recheck L1 intercepts as KVM has already finished that<br />
phase of instruction execution, i.e. has already committed to allowing L2<br />
to perform I/O. If L1 (or host userspace) modifies the I/O permission<br />
bitmaps during the exit to userspace, KVM will treat the access as being<br />
intercepted despite already having emulated the I/O access.<br />
<br />
Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.<br />
Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the<br />
intended "recipient") can reach the code in question. gp_interception()&#39;s<br />
use is mutually exclusive with is_guest_mode(), and<br />
complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with<br />
EMULTYPE_SKIP.<br />
<br />
The bad behavior was detected by a syzkaller program that toggles port I/O<br />
interception during the userspace I/O exit, ultimately resulting in a WARN<br />
on vcpu->arch.pio.count being non-zero due to KVM no completing emulation<br />
of the I/O instruction.<br />
<br />
WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]<br />
Modules linked in: kvm_intel kvm irqbypass<br />
CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br />
RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
kvm_fast_pio+0xd6/0x1d0 [kvm]<br />
vmx_handle_exit+0x149/0x610 [kvm_intel]<br />
kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]<br />
kvm_vcpu_ioctl+0x244/0x8c0 [kvm]<br />
__x64_sys_ioctl+0x8a/0xd0<br />
do_syscall_64+0x5d/0xc60<br />
entry_SYSCALL_64_after_hwframe+0x4b/0x53<br />
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/00338255bb1f422642fb2798ebe92e93b6e4209b
- https://git.kernel.org/stable/c/3a062a5c55adc5507600b9ae6d911e247e2f1d6e
- https://git.kernel.org/stable/c/3d3abf3f7e8b1abb082070a343de82d7efc80523
- https://git.kernel.org/stable/c/7366830642505683bbe905a2ba5d18d6e4b512b8
- https://git.kernel.org/stable/c/a908eca437789589dd4624da428614c1275064dc
- https://git.kernel.org/stable/c/ba35a5d775799ce5ad60230be97336f2fefd518e
- https://git.kernel.org/stable/c/e0ce3ed1048a47986d15aef1a98ebda25560d257
- https://git.kernel.org/stable/c/e7177c7e32cb806f348387b7f4faafd4a5b32054
- https://git.kernel.org/stable/c/e750f85391286a4c8100275516973324b621a269