cve/published/2025/CVE-2025-22013.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22013: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state

 There are several problems with the way hyp code lazily saves the host's
 FPSIMD/SVE state, including:

 * Host SVE being discarded unexpectedly due to inconsistent
   configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to
   result in QEMU crashes where SVE is used by memmove(), as reported by
   Eric Auger:

   https://issues.redhat.com/browse/RHEL-68997

 * Host SVE state is discarded *after* modification by ptrace, which was an
   unintentional ptrace ABI change introduced with lazy discarding of SVE state.

 * The host FPMR value can be discarded when running a non-protected VM,
   where FPMR support is not exposed to a VM, and that VM uses
   FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR
   before unbinding the host's FPSIMD/SVE/SME state, leaving a stale
   value in memory.

 Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME
 state when loading a vCPU such that KVM does not need to save any of the
 host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is
 removed and the necessary call to fpsimd_save_and_flush_cpu_state() is
 placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'
 should not be used, they are set to NULL; all uses of these will be
 removed in subsequent patches.

 Historical problems go back at least as far as v5.17, e.g. erroneous
 assumptions about TIF_SVE being clear in commit:

   8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving")

 ... and so this eager save+flush probably needs to be backported to ALL
 stable trees.

 The Linux kernel CVE team has assigned CVE-2025-22013 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.2 with commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe and fixed in 6.6.85 with commit 806d5c1e1d2e5502175a24bf70f251648d99c36a
 	Issue introduced in 6.2 with commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe and fixed in 6.12.21 with commit 79e140bba70bcacc5fe15bf8c0b958793fd7d56f
 	Issue introduced in 6.2 with commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe and fixed in 6.13.9 with commit 900b444be493b7f404898c785d6605b177a093d0
 	Issue introduced in 6.2 with commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe and fixed in 6.14 with commit fbc7e61195e23f744814e78524b73b59faa54ab4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22013
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm64/kernel/fpsimd.c
 	arch/arm64/kvm/fpsimd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5289ac43b69c61a49c75720921f2008005a31c43
 	https://git.kernel.org/stable/c/04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e
 	https://git.kernel.org/stable/c/806d5c1e1d2e5502175a24bf70f251648d99c36a
 	https://git.kernel.org/stable/c/79e140bba70bcacc5fe15bf8c0b958793fd7d56f
 	https://git.kernel.org/stable/c/900b444be493b7f404898c785d6605b177a093d0
 	https://git.kernel.org/stable/c/fbc7e61195e23f744814e78524b73b59faa54ab4
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22013: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state

	There are several problems with the way hyp code lazily saves the host's
	FPSIMD/SVE state, including:

	* Host SVE being discarded unexpectedly due to inconsistent
	configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to
	result in QEMU crashes where SVE is used by memmove(), as reported by
	Eric Auger:

	https://issues.redhat.com/browse/RHEL-68997

	* Host SVE state is discarded after modification by ptrace, which was an
	unintentional ptrace ABI change introduced with lazy discarding of SVE state.

	* The host FPMR value can be discarded when running a non-protected VM,
	where FPMR support is not exposed to a VM, and that VM uses
	FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR
	before unbinding the host's FPSIMD/SVE/SME state, leaving a stale
	value in memory.

	Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME
	state when loading a vCPU such that KVM does not need to save any of the
	host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is
	removed and the necessary call to fpsimd_save_and_flush_cpu_state() is
	placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'
	should not be used, they are set to NULL; all uses of these will be
	removed in subsequent patches.

	Historical problems go back at least as far as v5.17, e.g. erroneous
	assumptions about TIF_SVE being clear in commit:

	8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving")

	... and so this eager save+flush probably needs to be backported to ALL
	stable trees.

	The Linux kernel CVE team has assigned CVE-2025-22013 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.2 with commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe and fixed in 6.6.85 with commit 806d5c1e1d2e5502175a24bf70f251648d99c36a
	Issue introduced in 6.2 with commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe and fixed in 6.12.21 with commit 79e140bba70bcacc5fe15bf8c0b958793fd7d56f
	Issue introduced in 6.2 with commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe and fixed in 6.13.9 with commit 900b444be493b7f404898c785d6605b177a093d0
	Issue introduced in 6.2 with commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe and fixed in 6.14 with commit fbc7e61195e23f744814e78524b73b59faa54ab4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22013
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm64/kernel/fpsimd.c
	arch/arm64/kvm/fpsimd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5289ac43b69c61a49c75720921f2008005a31c43
	https://git.kernel.org/stable/c/04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e
	https://git.kernel.org/stable/c/806d5c1e1d2e5502175a24bf70f251648d99c36a
	https://git.kernel.org/stable/c/79e140bba70bcacc5fe15bf8c0b958793fd7d56f
	https://git.kernel.org/stable/c/900b444be493b7f404898c785d6605b177a093d0
	https://git.kernel.org/stable/c/fbc7e61195e23f744814e78524b73b59faa54ab4