cve/published/2025/CVE-2025-23141.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses

 Acquire a lock on kvm->srcu when userspace is getting MP state to handle a
 rather extreme edge case where "accepting" APIC events, i.e. processing
 pending INIT or SIPI, can trigger accesses to guest memory.  If the vCPU
 is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP
 state will trigger a nested VM-Exit by way of ->check_nested_events(), and
 emuating the nested VM-Exit can access guest memory.

 The splat was originally hit by syzkaller on a Google-internal kernel, and
 reproduced on an upstream kernel by hacking the triple_fault_event_test
 selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a
 memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.

   =============================
   WARNING: suspicious RCU usage
   6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted
   -----------------------------
   include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!

   other info that might help us debug this:

   rcu_scheduler_active = 2, debug_locks = 1
   1 lock held by triple_fault_ev/1256:
    #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]

   stack backtrace:
   CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
   Call Trace:
    <TASK>
    dump_stack_lvl+0x7f/0x90
    lockdep_rcu_suspicious+0x144/0x190
    kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]
    kvm_vcpu_read_guest+0x3e/0x90 [kvm]
    read_and_check_msr_entry+0x2e/0x180 [kvm_intel]
    __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]
    kvm_check_nested_events+0x1b/0x30 [kvm]
    kvm_apic_accept_events+0x33/0x100 [kvm]
    kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]
    kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]
    __x64_sys_ioctl+0x8b/0xb0
    do_syscall_64+0x6c/0x170
    entry_SYSCALL_64_after_hwframe+0x4b/0x53
    </TASK>

 The Linux kernel CVE team has assigned CVE-2025-23141 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.1.135 with commit 0357c8406dfa09430dd9858ebe813feb65524b6e
 	Fixed in 6.6.88 with commit 8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be
 	Fixed in 6.12.24 with commit 7bc5c360375d28ba5ef6298b0d53e735c81d66a1
 	Fixed in 6.13.12 with commit f5cbe725b7477b4cd677be1b86b4e08f90572997
 	Fixed in 6.14.3 with commit 592e040572f216d916f465047c8ce4a308fcca44
 	Fixed in 6.15 with commit ef01cac401f18647d62720cf773d7bb0541827da

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-23141
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/x86.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e
 	https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be
 	https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1
 	https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997
 	https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44
 	https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses

	Acquire a lock on kvm->srcu when userspace is getting MP state to handle a
	rather extreme edge case where "accepting" APIC events, i.e. processing
	pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU
	is in L2 with INIT and a TRIPLE_FAULT request pending, then getting MP
	state will trigger a nested VM-Exit by way of ->check_nested_events(), and
	emuating the nested VM-Exit can access guest memory.

	The splat was originally hit by syzkaller on a Google-internal kernel, and
	reproduced on an upstream kernel by hacking the triple_fault_event_test
	selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a
	memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.

	=============================
	WARNING: suspicious RCU usage
	6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted
	-----------------------------
	include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!

	other info that might help us debug this:

	rcu_scheduler_active = 2, debug_locks = 1
	1 lock held by triple_fault_ev/1256:
	#0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]

	stack backtrace:
	CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
	Call Trace:
	<TASK>
	dump_stack_lvl+0x7f/0x90
	lockdep_rcu_suspicious+0x144/0x190
	kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]
	kvm_vcpu_read_guest+0x3e/0x90 [kvm]
	read_and_check_msr_entry+0x2e/0x180 [kvm_intel]
	__nested_vmx_vmexit+0x550/0xde0 [kvm_intel]
	kvm_check_nested_events+0x1b/0x30 [kvm]
	kvm_apic_accept_events+0x33/0x100 [kvm]
	kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]
	kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]
	__x64_sys_ioctl+0x8b/0xb0
	do_syscall_64+0x6c/0x170
	entry_SYSCALL_64_after_hwframe+0x4b/0x53
	</TASK>

	The Linux kernel CVE team has assigned CVE-2025-23141 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.1.135 with commit 0357c8406dfa09430dd9858ebe813feb65524b6e
	Fixed in 6.6.88 with commit 8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be
	Fixed in 6.12.24 with commit 7bc5c360375d28ba5ef6298b0d53e735c81d66a1
	Fixed in 6.13.12 with commit f5cbe725b7477b4cd677be1b86b4e08f90572997
	Fixed in 6.14.3 with commit 592e040572f216d916f465047c8ce4a308fcca44
	Fixed in 6.15 with commit ef01cac401f18647d62720cf773d7bb0541827da

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-23141
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/x86.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e
	https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be
	https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1
	https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997
	https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44
	https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da