CVE-2025-21713

EUVD-2025-5240

27.02.2025, 02:15

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/iommu: Don't unset window if it was never set

On pSeries, when user attempts to use the same vfio container used by
different iommu group, the spapr_tce_set_window() returns -EPERM
and the subsequent cleanup leads to the below crash.

   Kernel attempted to read user page (308) - exploit attempt?
   BUG: Kernel NULL pointer dereference on read at 0x00000308
   Faulting instruction address: 0xc0000000001ce358
   Oops: Kernel access of bad area, sig: 11 [#1]
   NIP:  c0000000001ce358 LR: c0000000001ce05c CTR: c00000000005add0
   <snip>
   NIP [c0000000001ce358] spapr_tce_unset_window+0x3b8/0x510
   LR [c0000000001ce05c] spapr_tce_unset_window+0xbc/0x510
   Call Trace:
     spapr_tce_unset_window+0xbc/0x510 (unreliable)
     tce_iommu_attach_group+0x24c/0x340 [vfio_iommu_spapr_tce]
     vfio_container_attach_group+0xec/0x240 [vfio]
     vfio_group_fops_unl_ioctl+0x548/0xb00 [vfio]
     sys_ioctl+0x754/0x1580
     system_call_exception+0x13c/0x330
     system_call_vectored_common+0x15c/0x2ec
   <snip>
   --- interrupt: 3000

Fix this by having null check for the tbl passed to the
spapr_tce_unset_window().

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.11 ≤ 𝑥 < 6.12.13
linux	linux_kernel	6.13 ≤ 𝑥 < 6.13.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.257-1 fixed
forky	7.0.9-1 fixed
sid	7.0.10-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1 fixed

kernel-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.6.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1.150700.17.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1.150700.17.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1.150700.17.6.1 fixed

kernel-docs

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1 fixed

kernel-macros

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1 fixed

kernel-source-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.6.1 fixed

kernel-syms

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.6.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.6.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.6.1 fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/17391cb2613b82f8c405570fea605af3255ff8d2

https://git.kernel.org/stable/c/ac12372a13dab3f7a2762db240bd180de8ef1e5e

https://git.kernel.org/stable/c/b853ff0b514c1df314246fcf94744005914b48cb