CVE-2025-38170

{"id": "CVE-2025-38170", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-03T09:15:32.643", "references": [{"url": "https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n| /* With TIF_SME userspace shouldn't generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n| // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n| // task->fpsimd_cpu is 0.\n| // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n| ...\n|\n| // Preempted; migrated from CPU 0 to CPU 1.\n| // TIF_FOREIGN_FPSTATE is set.\n|\n| get_cpu_fpsimd_context();\n|\n| /* With TIF_SME userspace shouldn't generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n|\n| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n| unsigned long vq_minus_one =\n| sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n| sme_set_vq(vq_minus_one);\n|\n| fpsimd_bind_task_to_cpu();\n| }\n|\n| put_cpu_fpsimd_context();\n|\n| // Preempted; migrated from CPU 1 to CPU 0.\n| // task->fpsimd_cpu is still 0\n| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n| // - Stale HW state is reused (with SME traps enabled)\n| // - TIF_FOREIGN_FPSTATE is cleared\n| // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64/fpsimd: Descartar estado de CPU obsoleto al manejar trampas de SME La l\u00f3gica para manejar trampas de SME manipula incorrectamente el estado FPSIMD/SVE/SME guardado, y una ejecuci\u00f3n con preempci\u00f3n puede dar como resultado que una tarea tenga TIF_SME establecido y TIF_FOREIGN_FPSTATE borrado incluso si el estado de CPU en vivo est\u00e1 obsoleto (por ejemplo, con trampas de SME habilitadas). Esto puede dar como resultado advertencias de do_sme_acc() donde no se esperan trampas de SME mientras TIF_SME est\u00e9 establecido: | /* Con TIF_SME, el espacio de usuario no deber\u00eda generar ninguna trampa */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); Esto es muy similar al problema de SVE que corregimos en el commit: 751ecf6afd6568ad (\"arm64/sve: descartar estado de CPU obsoleto al manejar trampas de SVE\") La ejecuci\u00f3n puede ocurrir cuando el controlador de trampas de SME se interrumpe antes y despu\u00e9s de manipular el estado FPSIMD/SVE/SME guardado, comenzando y terminando en la misma CPU, por ejemplo, | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trampa en la CPU 0 con TIF_SME limpio, trampas de SME habilitadas | // task->fpsimd_cpu es 0. | // per_cpu_ptr(&fpsimd_last_state, 0) es la tarea. | | ... | | // Interrumpido; migrado de la CPU 0 a la CPU 1. | // TIF_FOREIGN_FPSTATE est\u00e1 configurado. | | get_cpu_fpsimd_context(); | | /* Con TIF_SME el espacio de usuario no deber\u00eda generar ninguna trampa */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Interrumpido; migrado de la CPU 1 a la CPU 0. | // task->fpsimd_cpu sigue siendo 0 | // Si per_cpu_ptr(&fpsimd_last_state, 0) sigue siendo tarea, entonces: | // - Se reutiliza el estado de hardware obsoleto (con las trampas de SME habilitadas) | // - Se borra TIF_FOREIGN_FPSTATE | // - Al regresar al espacio de usuario, se omite la restauraci\u00f3n del estado de hardware | } Se soluciona el caso en el que el estado no est\u00e1 activo y TIF_FOREIGN_FPSTATE se establece llamando a fpsimd_flush_task_state() para separarlo del estado de CPU guardado. Esto garantiza que un cambio de contexto posterior no reutilice el estado de CPU obsoleto, sino que establezca TIF_FOREIGN_FPSTATE, forzando la recarga del nuevo estado desde la memoria antes de regresar al espacio de usuario. Nota: esto se public\u00f3 originalmente como [1]. [Rutland: reescribir el mensaje de confirmaci\u00f3n]"}], "lastModified": "2025-12-18T20:53:13.583", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AC7C3FA-F2C7-4A80-A5BB-45E85C1E2C78", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "304E3F01-7D7A-4908-994E-7F95C5C00B06", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4FFA54AA-CDFE-4591-BD07-72813D0948F4", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0541C761-BD5E-4C1A-8432-83B375D7EB92", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.13"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}