2.5 KiB
CVE-2025-22013
Description
In the Linux kernel, the following vulnerability has been resolved:KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME stateThere are several problems with the way hyp code lazily saves the host'sFPSIMD/SVE state, including:* Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger: https://issues.redhat.com/browse/RHEL-68997* Host SVE state is discarded after modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state.* The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory.Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SMEstate when loading a vCPU such that KVM does not need to save any of thehost's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() isremoved and the necessary call to fpsimd_save_and_flush_cpu_state() isplaced in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'should not be used, they are set to NULL; all uses of these will beremoved in subsequent patches.Historical problems go back at least as far as v5.17, e.g. erroneousassumptions about TIF_SVE being clear in commit: 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving")... and so this eager save+flush probably needs to be backported to ALLstable trees.
POC
Reference
No PoCs from references.