cve/published/2025/CVE-2025-37885.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37885: KVM: x86: Reset IRTE to host control if *new* route isn't postable

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: x86: Reset IRTE to host control if *new* route isn't postable

 Restore an IRTE back to host control (remapped or posted MSI mode) if the
 *new* GSI route prevents posting the IRQ directly to a vCPU, regardless of
 the GSI routing type.  Updating the IRTE if and only if the new GSI is an
 MSI results in KVM leaving an IRTE posting to a vCPU.

 The dangling IRTE can result in interrupts being incorrectly delivered to
 the guest, and in the worst case scenario can result in use-after-free,
 e.g. if the VM is torn down, but the underlying host IRQ isn't freed.

 The Linux kernel CVE team has assigned CVE-2025-37885 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 5.10.237 with commit e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769
 	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 5.15.181 with commit 116c7d35b8f72eac383b9fd371d7c1a8ffc2968b
 	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.1.136 with commit 023816bd5fa46fab94d1e7917fe131b79ed1fb41
 	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.6.89 with commit 3481fd96d801715942b6f69fe251133128156f30
 	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.12.26 with commit b5de7ac74f69603ad803c524b840bffd36368fc3
 	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.14.5 with commit 3066ec21d1a33896125747f68638725f456308db
 	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.15 with commit 9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37885
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/svm/avic.c
 	arch/x86/kvm/vmx/posted_intr.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769
 	https://git.kernel.org/stable/c/116c7d35b8f72eac383b9fd371d7c1a8ffc2968b
 	https://git.kernel.org/stable/c/023816bd5fa46fab94d1e7917fe131b79ed1fb41
 	https://git.kernel.org/stable/c/3481fd96d801715942b6f69fe251133128156f30
 	https://git.kernel.org/stable/c/b5de7ac74f69603ad803c524b840bffd36368fc3
 	https://git.kernel.org/stable/c/3066ec21d1a33896125747f68638725f456308db
 	https://git.kernel.org/stable/c/9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37885: KVM: x86: Reset IRTE to host control if new route isn't postable

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: x86: Reset IRTE to host control if new route isn't postable

	Restore an IRTE back to host control (remapped or posted MSI mode) if the
	new GSI route prevents posting the IRQ directly to a vCPU, regardless of
	the GSI routing type. Updating the IRTE if and only if the new GSI is an
	MSI results in KVM leaving an IRTE posting to a vCPU.

	The dangling IRTE can result in interrupts being incorrectly delivered to
	the guest, and in the worst case scenario can result in use-after-free,
	e.g. if the VM is torn down, but the underlying host IRQ isn't freed.

	The Linux kernel CVE team has assigned CVE-2025-37885 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 5.10.237 with commit e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769
	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 5.15.181 with commit 116c7d35b8f72eac383b9fd371d7c1a8ffc2968b
	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.1.136 with commit 023816bd5fa46fab94d1e7917fe131b79ed1fb41
	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.6.89 with commit 3481fd96d801715942b6f69fe251133128156f30
	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.12.26 with commit b5de7ac74f69603ad803c524b840bffd36368fc3
	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.14.5 with commit 3066ec21d1a33896125747f68638725f456308db
	Issue introduced in 4.4 with commit efc644048ecde54f016011fe10110addd0de348f and fixed in 6.15 with commit 9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37885
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/svm/avic.c
	arch/x86/kvm/vmx/posted_intr.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769
	https://git.kernel.org/stable/c/116c7d35b8f72eac383b9fd371d7c1a8ffc2968b
	https://git.kernel.org/stable/c/023816bd5fa46fab94d1e7917fe131b79ed1fb41
	https://git.kernel.org/stable/c/3481fd96d801715942b6f69fe251133128156f30
	https://git.kernel.org/stable/c/b5de7ac74f69603ad803c524b840bffd36368fc3
	https://git.kernel.org/stable/c/3066ec21d1a33896125747f68638725f456308db
	https://git.kernel.org/stable/c/9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2