CVE-2025-21632

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/fpu: Ensure shadow stack is active before "getting" registers<br /> <br /> The x86 shadow stack support has its own set of registers. Those registers<br /> are XSAVE-managed, but they are "supervisor state components" which means<br /> that userspace can not touch them with XSAVE/XRSTOR. It also means that<br /> they are not accessible from the existing ptrace ABI for XSAVE state.<br /> Thus, there is a new ptrace get/set interface for it.<br /> <br /> The regset code that ptrace uses provides an -&gt;active() handler in<br /> addition to the get/set ones. For shadow stack this -&gt;active() handler<br /> verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the<br /> thread struct. The -&gt;active() handler is checked from some call sites of<br /> the regset get/set handlers, but not the ptrace ones. This was not<br /> understood when shadow stack support was put in place.<br /> <br /> As a result, both the set/get handlers can be called with<br /> XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to<br /> return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an<br /> ssp_active() check to avoid surprising the kernel with shadow stack<br /> behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That<br /> check just happened to avoid the warning.<br /> <br /> But the -&gt;get() side wasn&amp;#39;t so lucky. It can be called with shadow stacks<br /> disabled, triggering the warning in practice, as reported by Christina<br /> Schimpe:<br /> <br /> WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0<br /> [...]<br /> Call Trace:<br /> <br /> ? show_regs+0x6e/0x80<br /> ? ssp_get+0x89/0xa0<br /> ? __warn+0x91/0x150<br /> ? ssp_get+0x89/0xa0<br /> ? report_bug+0x19d/0x1b0<br /> ? handle_bug+0x46/0x80<br /> ? exc_invalid_op+0x1d/0x80<br /> ? asm_exc_invalid_op+0x1f/0x30<br /> ? __pfx_ssp_get+0x10/0x10<br /> ? ssp_get+0x89/0xa0<br /> ? ssp_get+0x52/0xa0<br /> __regset_get+0xad/0xf0<br /> copy_regset_to_user+0x52/0xc0<br /> ptrace_regset+0x119/0x140<br /> ptrace_request+0x13c/0x850<br /> ? wait_task_inactive+0x142/0x1d0<br /> ? do_syscall_64+0x6d/0x90<br /> arch_ptrace+0x102/0x300<br /> [...]<br /> <br /> Ensure that shadow stacks are active in a thread before looking them up<br /> in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are<br /> set at the same time, the active check ensures that there will be<br /> something to find in the XSAVE buffer.<br /> <br /> [ dhansen: changelog/subject tweaks ]