CVE-2025-40038
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-40038
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40038.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40038
- Downstream
- Related
- Published
- 2025-10-28T11:48:18.889Z
- Modified
- 2025-12-01T23:21:56.307309Z
- Summary
- KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid
Skip the WRMSR and HLT fastpaths in SVM's VM-Exit handler if the next RIP isn't valid, e.g. because KVM is running with nrips=false. SVM must decode and emulate to skip the instruction if the CPU doesn't provide the next RIP, and getting the instruction bytes to decode requires reading guest memory. Reading guest memory through the emulator can fault, i.e. can sleep, which is disallowed since the fastpath handlers run with IRQs disabled.
BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106 inatomic(): 1, irqsdisabled(): 1, nonblock: 0, pid: 32611, name: qemu preemptcount: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 30580 hardirqs last enabled at (30579): [<ffffffffc08b2527>] vcpurun+0x1787/0x1db0 [kvm] hardirqs last disabled at (30580): [<ffffffffb4f62e32>] _schedule+0x1e2/0xed0 softirqs last enabled at (30570): [<ffffffffb4247a64>] fpuswapkvmfpstate+0x44/0x210 softirqs last disabled at (30568): [<ffffffffb4247a64>] fpuswapkvmfpstate+0x44/0x210 CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE Tainted: [U]=USER Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025 Call Trace: <TASK> dumpstacklvl+0x7d/0xb0 _mightresched+0x271/0x290 _mightfault+0x28/0x80 kvmvcpureadguestpage+0x8d/0xc0 [kvm] kvmfetchguestvirt+0x92/0xc0 [kvm] _doinsnfetchbytes+0xf3/0x1e0 [kvm] x86decodeinsn+0xd1/0x1010 [kvm] x86emulateinstruction+0x105/0x810 [kvm] _svmskipemulatedinstruction+0xc4/0x140 [kvmamd] handlefastpathinvd+0xc4/0x1a0 [kvm] vcpurun+0x11a1/0x1db0 [kvm] kvmarchvcpuioctlrun+0x5cc/0x730 [kvm] kvmvcpuioctl+0x578/0x6a0 [kvm] _sesysioctl+0x6d/0xb0 dosyscall64+0x8a/0x2c0 entrySYSCALL64afterhwframe+0x4b/0x53 RIP: 0033:0x7f479d57a94b </TASK>
Note, this is essentially a reapply of commit 5c30e8101e8d ("KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isn't valid"), but with different justification (KVM now grabs SRCU when skipping the instruction for other reasons).
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40038.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0910dd7c9ad45a2605c45fd2bf3d1bcac087687c
- https://git.kernel.org/stable/c/cd3efb93677c4b0cf76348882fb429165fee33fd
- https://git.kernel.org/stable/c/da2a3c231f7f2a5ac146d972b8c1d7d84aff6d70
- https://git.kernel.org/stable/c/f994e9c790ce97d3cf01af4d0a1b9add0c955aee
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40038.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40038
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb439eb8ab578557263815ba8581d02c1b730e348Fixedcd3efb93677c4b0cf76348882fb429165fee33fdFixedf994e9c790ce97d3cf01af4d0a1b9add0c955aeeFixedda2a3c231f7f2a5ac146d972b8c1d7d84aff6d70Fixed0910dd7c9ad45a2605c45fd2bf3d1bcac087687c