ghsa-jm8p-ggg3-gfgw
Vulnerability from github
Published
2025-10-04 09:30
Modified
2025-10-04 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()

When

9770b428b1a2 ("crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown")

moved the error messages dumping so that they don't need to be issued by the callers, it missed the case where __sev_firmware_shutdown() calls __sev_platform_shutdown_locked() with a NULL argument which leads to a NULL ptr deref on the shutdown path, during suspend to disk:

#PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary) Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022 RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]

That rIP is:

00000000000006fd <__sev_platform_shutdown_locked.cold>: 6fd: 8b 13 mov (%rbx),%edx 6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi 703: 89 c1 mov %eax,%ecx

Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff <8b> 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e RSP: 0018:ffffc90005467d00 EFLAGS: 00010282 RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000 ^^^^^^^^^^^^^^^^ and %rbx is nice and clean.

Call Trace: __sev_firmware_shutdown.isra.0 sev_dev_destroy psp_dev_destroy sp_destroy pci_device_shutdown device_shutdown kernel_power_off hibernate.cold state_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe

Pass in a pointer to the function-local error var in the caller.

With that addressed, suspending the ccp shows the error properly at least:

ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110 SEV-SNP: Leaking PFN range 0x146800-0x146a00 SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00] ... ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0 ACPI: PM: Preparing to enter system sleep state S5 kvm: exiting hardware virtualization reboot: Power down

Btw, this driver is crying to be cleaned up to pass in a proper I/O struct which can be used to store information between the different functions, otherwise stuff like that will happen in the future again.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39936"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T08:15:46Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()\n\nWhen\n\n  9770b428b1a2 (\"crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown\")\n\nmoved the error messages dumping so that they don\u0027t need to be issued by\nthe callers, it missed the case where __sev_firmware_shutdown() calls\n__sev_platform_shutdown_locked() with a NULL argument which leads to\na NULL ptr deref on the shutdown path, during suspend to disk:\n\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)\n  Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022\n  RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]\n\nThat rIP is:\n\n  00000000000006fd \u003c__sev_platform_shutdown_locked.cold\u003e:\n   6fd:   8b 13                   mov    (%rbx),%edx\n   6ff:   48 8b 7d 00             mov    0x0(%rbp),%rdi\n   703:   89 c1                   mov    %eax,%ecx\n\n  Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff \u003c8b\u003e 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e\n  RSP: 0018:ffffc90005467d00 EFLAGS: 00010282\n  RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000\n  \t\t\t     ^^^^^^^^^^^^^^^^\nand %rbx is nice and clean.\n\n  Call Trace:\n   \u003cTASK\u003e\n   __sev_firmware_shutdown.isra.0\n   sev_dev_destroy\n   psp_dev_destroy\n   sp_destroy\n   pci_device_shutdown\n   device_shutdown\n   kernel_power_off\n   hibernate.cold\n   state_store\n   kernfs_fop_write_iter\n   vfs_write\n   ksys_write\n   do_syscall_64\n   entry_SYSCALL_64_after_hwframe\n\nPass in a pointer to the function-local error var in the caller.\n\nWith that addressed, suspending the ccp shows the error properly at\nleast:\n\n  ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP\n  ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110\n  SEV-SNP: Leaking PFN range 0x146800-0x146a00\n  SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00]\n  ...\n  ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0\n  ACPI: PM: Preparing to enter system sleep state S5\n  kvm: exiting hardware virtualization\n  reboot: Power down\n\nBtw, this driver is crying to be cleaned up to pass in a proper I/O\nstruct which can be used to store information between the different\nfunctions, otherwise stuff like that will happen in the future again.",
  "id": "GHSA-jm8p-ggg3-gfgw",
  "modified": "2025-10-04T09:30:20Z",
  "published": "2025-10-04T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39936"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/46834d90a9a13549264b9581067d8f746b4b36cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc509293c9d4f4f74e776f4a0bbb61f63c041938"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.