CVE-2025-40026
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access.
Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended "recipient") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP.
The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction.
WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: <TASK> kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < a908eca437789589dd4624da428614c1275064dc | affected |
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < 00338255bb1f422642fb2798ebe92e93b6e4209b | affected |
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < e0ce3ed1048a47986d15aef1a98ebda25560d257 | affected |
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < ba35a5d775799ce5ad60230be97336f2fefd518e | affected |
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < 3d3abf3f7e8b1abb082070a343de82d7efc80523 | affected |
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < e7177c7e32cb806f348387b7f4faafd4a5b32054 | affected |
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < 3a062a5c55adc5507600b9ae6d911e247e2f1d6e | affected |
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < 7366830642505683bbe905a2ba5d18d6e4b512b8 | affected |
| Linux | Linux | 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 < e750f85391286a4c8100275516973324b621a269 | affected |
| Linux | Linux | 3.0 | affected |
| Linux | Linux | 0 < 3.0 | unaffected |
| Linux | Linux | 5.4.301 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.246 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.195 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.157 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.111 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.52 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.12 <= 6.16.* | unaffected |
| Linux | Linux | 6.17.2 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/a908eca437789589dd4624da428614c1275064dc
- https://git.kernel.org/stable/c/00338255bb1f422642fb2798ebe92e93b6e4209b
- https://git.kernel.org/stable/c/e0ce3ed1048a47986d15aef1a98ebda25560d257
- https://git.kernel.org/stable/c/ba35a5d775799ce5ad60230be97336f2fefd518e
- https://git.kernel.org/stable/c/3d3abf3f7e8b1abb082070a343de82d7efc80523
- https://git.kernel.org/stable/c/e7177c7e32cb806f348387b7f4faafd4a5b32054
- https://git.kernel.org/stable/c/3a062a5c55adc5507600b9ae6d911e247e2f1d6e
- https://git.kernel.org/stable/c/7366830642505683bbe905a2ba5d18d6e4b512b8
- https://git.kernel.org/stable/c/e750f85391286a4c8100275516973324b621a269
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.