CVE-2025-38594 (GCVE-0-2025-38594)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-08-19 17:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix UAF on sva unbind with pending IOPFs
Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach
path") disables IOPF on device by removing the device from its IOMMU's
IOPF queue when the last IOPF-capable domain is detached from the device.
Unfortunately, it did this in a wrong place where there are still pending
IOPFs. As a result, a use-after-free error is potentially triggered and
eventually a kernel panic with a kernel trace similar to the following:
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0
Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf
Call Trace:
<TASK>
iopf_free_group+0xe/0x20
process_one_work+0x197/0x3d0
worker_thread+0x23a/0x350
? rescuer_thread+0x4a0/0x4a0
kthread+0xf8/0x230
? finish_task_switch.isra.0+0x81/0x260
? kthreads_online_cpu+0x110/0x110
? kthreads_online_cpu+0x110/0x110
ret_from_fork+0x13b/0x170
? kthreads_online_cpu+0x110/0x110
ret_from_fork_asm+0x11/0x20
</TASK>
---[ end trace 0000000000000000 ]---
The intel_pasid_tear_down_entry() function is responsible for blocking
hardware from generating new page faults and flushing all in-flight
ones. Therefore, moving iopf_for_domain_remove() after this function
should resolve this.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iommu/intel/iommu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c68332b7ee893292bba6e87d31ef2080c066c65d", "status": "affected", "version": "17fce9d2336d952b95474248303e5e7d9777f2e0", "versionType": "git" }, { "lessThan": "f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2", "status": "affected", "version": "17fce9d2336d952b95474248303e5e7d9777f2e0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iommu/intel/iommu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.16" }, { "lessThan": "6.16", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.16.*", "status": "unaffected", "version": "6.16.1", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.17-rc1", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16.1", "versionStartIncluding": "6.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.17-rc1", "versionStartIncluding": "6.16", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix UAF on sva unbind with pending IOPFs\n\nCommit 17fce9d2336d (\"iommu/vt-d: Put iopf enablement in domain attach\npath\") disables IOPF on device by removing the device from its IOMMU\u0027s\nIOPF queue when the last IOPF-capable domain is detached from the device.\nUnfortunately, it did this in a wrong place where there are still pending\nIOPFs. As a result, a use-after-free error is potentially triggered and\neventually a kernel panic with a kernel trace similar to the following:\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\n Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf\n Call Trace:\n \u003cTASK\u003e\n iopf_free_group+0xe/0x20\n process_one_work+0x197/0x3d0\n worker_thread+0x23a/0x350\n ? rescuer_thread+0x4a0/0x4a0\n kthread+0xf8/0x230\n ? finish_task_switch.isra.0+0x81/0x260\n ? kthreads_online_cpu+0x110/0x110\n ? kthreads_online_cpu+0x110/0x110\n ret_from_fork+0x13b/0x170\n ? kthreads_online_cpu+0x110/0x110\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nThe intel_pasid_tear_down_entry() function is responsible for blocking\nhardware from generating new page faults and flushing all in-flight\nones. Therefore, moving iopf_for_domain_remove() after this function\nshould resolve this." } ], "providerMetadata": { "dateUpdated": "2025-08-19T17:03:19.689Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d" }, { "url": "https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2" } ], "title": "iommu/vt-d: Fix UAF on sva unbind with pending IOPFs", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38594", "datePublished": "2025-08-19T17:03:19.689Z", "dateReserved": "2025-04-16T04:51:24.028Z", "dateUpdated": "2025-08-19T17:03:19.689Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2025-38594\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-19T17:15:37.213\",\"lastModified\":\"2025-08-20T14:40:17.713\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/vt-d: Fix UAF on sva unbind with pending IOPFs\\n\\nCommit 17fce9d2336d (\\\"iommu/vt-d: Put iopf enablement in domain attach\\npath\\\") disables IOPF on device by removing the device from its IOMMU\u0027s\\nIOPF queue when the last IOPF-capable domain is detached from the device.\\nUnfortunately, it did this in a wrong place where there are still pending\\nIOPFs. As a result, a use-after-free error is potentially triggered and\\neventually a kernel panic with a kernel trace similar to the following:\\n\\n refcount_t: underflow; use-after-free.\\n WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\\n Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf\\n Call Trace:\\n \u003cTASK\u003e\\n iopf_free_group+0xe/0x20\\n process_one_work+0x197/0x3d0\\n worker_thread+0x23a/0x350\\n ? rescuer_thread+0x4a0/0x4a0\\n kthread+0xf8/0x230\\n ? finish_task_switch.isra.0+0x81/0x260\\n ? kthreads_online_cpu+0x110/0x110\\n ? kthreads_online_cpu+0x110/0x110\\n ret_from_fork+0x13b/0x170\\n ? kthreads_online_cpu+0x110/0x110\\n ret_from_fork_asm+0x11/0x20\\n \u003c/TASK\u003e\\n ---[ end trace 0000000000000000 ]---\\n\\nThe intel_pasid_tear_down_entry() function is responsible for blocking\\nhardware from generating new page faults and flushing all in-flight\\nones. Therefore, moving iopf_for_domain_remove() after this function\\nshould resolve this.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/vt-d: Correcci\u00f3n de UAF en la desvinculaci\u00f3n de sva con IOPF pendientes. El commit 17fce9d2336d (\\\"iommu/vt-d: Colocar la habilitaci\u00f3n de iopf en la ruta de conexi\u00f3n del dominio\\\") deshabilita IOPF en el dispositivo elimin\u00e1ndolo de la cola de IOPF de su IOMMU cuando el \u00faltimo dominio con capacidad para IOPF se desvincula del dispositivo. Desafortunadamente, esto se realiz\u00f3 en un lugar incorrecto donde a\u00fan hay IOPF pendientes. Como resultado, se puede generar un error de use-after-free y, finalmente, un p\u00e1nico del kernel con un seguimiento del kernel similar al siguiente: refcount_t: underflow; use-after-free. ADVERTENCIA: CPU: 3 PID: 313 en lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 Cola de trabajo: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf Rastreo de llamadas: iopf_free_group+0xe/0x20 process_one_work+0x197/0x3d0 worker_thread+0x23a/0x350 ? rescuer_thread+0x4a0/0x4a0 kthread+0xf8/0x230 ? finish_task_switch.isra.0+0x81/0x260 ? kthreads_online_cpu+0x110/0x110 ? kthreads_online_cpu+0x110/0x110 ret_from_fork+0x13b/0x170 ? kthreads_online_cpu+0x110/0x110 ret_from_fork_asm+0x11/0x20 ---[ end trace 0000000000000000 ]--- La funci\u00f3n intel_pasid_tear_down_entry() se encarga de impedir que el hardware genere nuevos fallos de p\u00e1gina y de eliminar todos los que se est\u00e1n ejecutando. Por lo tanto, mover iopf_for_domain_remove() despu\u00e9s de esta funci\u00f3n deber\u00eda resolver este problema.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…