CVE-2025-21632
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21632
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21632.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-21632
- Downstream
- Related
- Published
- 2025-01-19T10:17:50Z
- Modified
- 2025-10-15T21:14:46.071957Z
- Summary
- x86/fpu: Ensure shadow stack is active before "getting" registers
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Ensure shadow stack is active before "getting" registers
The x86 shadow stack support has its own set of registers. Those registers are XSAVE-managed, but they are "supervisor state components" which means that userspace can not touch them with XSAVE/XRSTOR. It also means that they are not accessible from the existing ptrace ABI for XSAVE state. Thus, there is a new ptrace get/set interface for it.
The regset code that ptrace uses provides an ->active() handler in addition to the get/set ones. For shadow stack this ->active() handler verifies that shadow stack is enabled via the ARCHSHSTKSHSTK bit in the thread struct. The ->active() handler is checked from some call sites of the regset get/set handlers, but not the ptrace ones. This was not understood when shadow stack support was put in place.
As a result, both the set/get handlers can be called with XFEATURECETUSER in its init state, which would cause getxsaveaddr() to return NULL and trigger a WARNON(). The sspset() handler luckily has an sspactive() check to avoid surprising the kernel with shadow stack behavior when the kernel is not ready for it (ARCHSHSTK_SHSTK==0). That check just happened to avoid the warning.
But the ->get() side wasn't so lucky. It can be called with shadow stacks disabled, triggering the warning in practice, as reported by Christina Schimpe:
WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 sspget+0x89/0xa0 [...] Call Trace: <TASK> ? showregs+0x6e/0x80 ? sspget+0x89/0xa0 ? _warn+0x91/0x150 ? sspget+0x89/0xa0 ? reportbug+0x19d/0x1b0 ? handlebug+0x46/0x80 ? excinvalidop+0x1d/0x80 ? asmexcinvalidop+0x1f/0x30 ? _pfxsspget+0x10/0x10 ? sspget+0x89/0xa0 ? sspget+0x52/0xa0 _regsetget+0xad/0xf0 copyregsettouser+0x52/0xc0 ptraceregset+0x119/0x140 ptracerequest+0x13c/0x850 ? waittaskinactive+0x142/0x1d0 ? dosyscall64+0x6d/0x90 arch_ptrace+0x102/0x300 [...]
Ensure that shadow stacks are active in a thread before looking them up in the XSAVE buffer. Since ARCHSHSTKSHSTK and userssp[SHSTKEN] are set at the same time, the active check ensures that there will be something to find in the XSAVE buffer.
[ dhansen: changelog/subject tweaks ]
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2fab02b25ae7cf5f714ab456b03d9a3fe5ae98c9Fixed0a3a872214188e4268d31581ed0cd44508e038cf
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2fab02b25ae7cf5f714ab456b03d9a3fe5ae98c9Fixed6bfe1fc22f462bec87422cdcbec4d7a2f43ff01d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2fab02b25ae7cf5f714ab456b03d9a3fe5ae98c9Fixeda9d9c33132d49329ada647e4514d210d15e31d81