CVE-2025-40026

Summary

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access.

Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended "recipient") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP.

The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction.

WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: <TASK> kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < a908eca437789589dd4624da428614c1275064dcaffected
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < 00338255bb1f422642fb2798ebe92e93b6e4209baffected
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < e0ce3ed1048a47986d15aef1a98ebda25560d257affected
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < ba35a5d775799ce5ad60230be97336f2fefd518eaffected
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < 3d3abf3f7e8b1abb082070a343de82d7efc80523affected
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < e7177c7e32cb806f348387b7f4faafd4a5b32054affected
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < 3a062a5c55adc5507600b9ae6d911e247e2f1d6eaffected
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < 7366830642505683bbe905a2ba5d18d6e4b512b8affected
LinuxLinux8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < e750f85391286a4c8100275516973324b621a269affected
LinuxLinux3.0affected
LinuxLinux0 < 3.0unaffected
LinuxLinux5.4.301 <= 5.4.*unaffected
LinuxLinux5.10.246 <= 5.10.*unaffected
LinuxLinux5.15.195 <= 5.15.*unaffected
LinuxLinux6.1.157 <= 6.1.*unaffected
LinuxLinux6.6.111 <= 6.6.*unaffected
LinuxLinux6.12.52 <= 6.12.*unaffected
LinuxLinux6.16.12 <= 6.16.*unaffected
LinuxLinux6.17.2 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References