CVE-2025-21713

On pSeries, when user attempts to use the same vfio container used by different iommu group, the spaprtceset_window() returns -EPERM and the subsequent cleanup leads to the below crash.

Kernel attempted to read user page (308) - exploit attempt? BUG: Kernel NULL pointer dereference on read at 0x00000308 Faulting instruction address: 0xc0000000001ce358 Oops: Kernel access of bad area, sig: 11 [#1] NIP: c0000000001ce358 LR: c0000000001ce05c CTR: c00000000005add0 <snip> NIP [c0000000001ce358] spaprtceunsetwindow+0x3b8/0x510 LR [c0000000001ce05c] spaprtceunsetwindow+0xbc/0x510 Call Trace: spaprtceunsetwindow+0xbc/0x510 (unreliable) tceiommuattachgroup+0x24c/0x340 [vfioiommuspaprtce] vfiocontainerattachgroup+0xec/0x240 [vfio] vfiogroupfopsunlioctl+0x548/0xb00 [vfio] sysioctl+0x754/0x1580 systemcallexception+0x13c/0x330 systemcallvectoredcommon+0x15c/0x2ec <snip> --- interrupt: 3000

Fix this by having null check for the tbl passed to the spaprtceunset_window().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f431a8cde7f102fce412546db6e62fdbde1131a7

Fixed

b853ff0b514c1df314246fcf94744005914b48cb

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f431a8cde7f102fce412546db6e62fdbde1131a7

Fixed

ac12372a13dab3f7a2762db240bd180de8ef1e5e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f431a8cde7f102fce412546db6e62fdbde1131a7

Fixed

17391cb2613b82f8c405570fea605af3255ff8d2

Affected versions

v6.*

v6.10

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

Database specific

vanir_signatures

[
    {
        "digest": {
            "length": 1312.0,
            "function_hash": "331703824438996947920449215998950830952"
        },
        "target": {
            "function": "spapr_tce_unset_window",
            "file": "arch/powerpc/platforms/pseries/iommu.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@17391cb2613b82f8c405570fea605af3255ff8d2",
        "id": "CVE-2025-21713-2261a545"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "222843004229799453622006679874814369008",
                "235953033030322541548193763581308830394",
                "206860078344226222141764791215309029504"
            ]
        },
        "target": {
            "file": "arch/powerpc/platforms/pseries/iommu.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b853ff0b514c1df314246fcf94744005914b48cb",
        "id": "CVE-2025-21713-45944d01"
    },
    {
        "digest": {
            "length": 1312.0,
            "function_hash": "331703824438996947920449215998950830952"
        },
        "target": {
            "function": "spapr_tce_unset_window",
            "file": "arch/powerpc/platforms/pseries/iommu.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b853ff0b514c1df314246fcf94744005914b48cb",
        "id": "CVE-2025-21713-6fe71baa"
    },
    {
        "digest": {
            "length": 1312.0,
            "function_hash": "331703824438996947920449215998950830952"
        },
        "target": {
            "function": "spapr_tce_unset_window",
            "file": "arch/powerpc/platforms/pseries/iommu.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ac12372a13dab3f7a2762db240bd180de8ef1e5e",
        "id": "CVE-2025-21713-8281e89c"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "222843004229799453622006679874814369008",
                "235953033030322541548193763581308830394",
                "206860078344226222141764791215309029504"
            ]
        },
        "target": {
            "file": "arch/powerpc/platforms/pseries/iommu.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ac12372a13dab3f7a2762db240bd180de8ef1e5e",
        "id": "CVE-2025-21713-dbefec33"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "222843004229799453622006679874814369008",
                "235953033030322541548193763581308830394",
                "206860078344226222141764791215309029504"
            ]
        },
        "target": {
            "file": "arch/powerpc/platforms/pseries/iommu.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@17391cb2613b82f8c405570fea605af3255ff8d2",
        "id": "CVE-2025-21713-fc462470"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.11.0

Fixed

6.12.13

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.2