cve/published/2025/CVE-2025-21779.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21779: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel

 Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and
 only if the local API is emulated/virtualized by KVM, and explicitly reject
 said hypercalls if the local APIC is emulated in userspace, i.e. don't rely
 on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.

 Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if
 Hyper-V enlightenments are exposed to the guest without an in-kernel local
 APIC:

   dump_stack+0xbe/0xfd
   __kasan_report.cold+0x34/0x84
   kasan_report+0x3a/0x50
   __apic_accept_irq+0x3a/0x5c0
   kvm_hv_send_ipi.isra.0+0x34e/0x820
   kvm_hv_hypercall+0x8d9/0x9d0
   kvm_emulate_hypercall+0x506/0x7e0
   __vmx_handle_exit+0x283/0xb60
   vmx_handle_exit+0x1d/0xd0
   vcpu_enter_guest+0x16b0/0x24c0
   vcpu_run+0xc0/0x550
   kvm_arch_vcpu_ioctl_run+0x170/0x6d0
   kvm_vcpu_ioctl+0x413/0xb20
   __se_sys_ioctl+0x111/0x160
   do_syscal1_64+0x30/0x40
   entry_SYSCALL_64_after_hwframe+0x67/0xd1

 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode
 can't be modified after vCPUs are created, i.e. if one vCPU has an
 in-kernel local APIC, then all vCPUs have an in-kernel local APIC.

 The Linux kernel CVE team has assigned CVE-2025-21779 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 5.10.236 with commit 61224533f2b61e252b03e214195d27d64b22989a
 	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 5.15.179 with commit 45fa526b0f5a34492ed0536c3cdf88b78380e4de
 	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.1.129 with commit 5393cf22312418262679eaadb130d608c75fe690
 	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.6.79 with commit 874ff13c73c45ecb38cb82191e8c1d523f0dc81b
 	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.12.16 with commit aca8be4403fb90db7adaf63830e27ebe787a76e8
 	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.13.4 with commit ca29f58ca374c40a0e69c5306fc5c940a0069074
 	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.14 with commit a8de7f100bb5989d9c3627d3a223ee1c863f3b69

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21779
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/hyperv.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a
 	https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de
 	https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690
 	https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b
 	https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8
 	https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074
 	https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21779: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel

	Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and
	only if the local API is emulated/virtualized by KVM, and explicitly reject
	said hypercalls if the local APIC is emulated in userspace, i.e. don't rely
	on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.

	Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if
	Hyper-V enlightenments are exposed to the guest without an in-kernel local
	APIC:

	dump_stack+0xbe/0xfd
	__kasan_report.cold+0x34/0x84
	kasan_report+0x3a/0x50
	__apic_accept_irq+0x3a/0x5c0
	kvm_hv_send_ipi.isra.0+0x34e/0x820
	kvm_hv_hypercall+0x8d9/0x9d0
	kvm_emulate_hypercall+0x506/0x7e0
	__vmx_handle_exit+0x283/0xb60
	vmx_handle_exit+0x1d/0xd0
	vcpu_enter_guest+0x16b0/0x24c0
	vcpu_run+0xc0/0x550
	kvm_arch_vcpu_ioctl_run+0x170/0x6d0
	kvm_vcpu_ioctl+0x413/0xb20
	__se_sys_ioctl+0x111/0x160
	do_syscal1_64+0x30/0x40
	entry_SYSCALL_64_after_hwframe+0x67/0xd1

	Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode
	can't be modified after vCPUs are created, i.e. if one vCPU has an
	in-kernel local APIC, then all vCPUs have an in-kernel local APIC.

	The Linux kernel CVE team has assigned CVE-2025-21779 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 5.10.236 with commit 61224533f2b61e252b03e214195d27d64b22989a
	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 5.15.179 with commit 45fa526b0f5a34492ed0536c3cdf88b78380e4de
	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.1.129 with commit 5393cf22312418262679eaadb130d608c75fe690
	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.6.79 with commit 874ff13c73c45ecb38cb82191e8c1d523f0dc81b
	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.12.16 with commit aca8be4403fb90db7adaf63830e27ebe787a76e8
	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.13.4 with commit ca29f58ca374c40a0e69c5306fc5c940a0069074
	Issue introduced in 4.20 with commit 214ff83d4473a7757fa18a64dc7efe3b0e158486 and fixed in 6.14 with commit a8de7f100bb5989d9c3627d3a223ee1c863f3b69

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21779
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/hyperv.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a
	https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de
	https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690
	https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b
	https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8
	https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074
	https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69