vulnerability
Ubuntu: (Multiple Advisories) (CVE-2025-21632): Linux kernel vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:L/AC:L/Au:S/C:C/I:C/A:C) | 2025-01-19 | 2025-03-28 | 2025-04-02 |
Description
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Ensure shadow stack is active before "getting" registers
The x86 shadow stack support has its own set of registers. Those registers
are XSAVE-managed, but they are "supervisor state components" which means
that userspace can not touch them with XSAVE/XRSTOR. It also means that
they are not accessible from the existing ptrace ABI for XSAVE state.
Thus, there is a new ptrace get/set interface for it.
The regset code that ptrace uses provides an ->active() handler in
addition to the get/set ones. For shadow stack this ->active() handler
verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the
thread struct. The ->active() handler is checked from some call sites of
the regset get/set handlers, but not the ptrace ones. This was not
understood when shadow stack support was put in place.
As a result, both the set/get handlers can be called with
XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to
return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an
ssp_active() check to avoid surprising the kernel with shadow stack
behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That
check just happened to avoid the warning.
But the ->get() side wasn't so lucky. It can be called with shadow stacks
disabled, triggering the warning in practice, as reported by Christina
Schimpe:
WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0
[...]
Call Trace:
? show_regs+0x6e/0x80
? ssp_get+0x89/0xa0
? __warn+0x91/0x150
? ssp_get+0x89/0xa0
? report_bug+0x19d/0x1b0
? handle_bug+0x46/0x80
? exc_invalid_op+0x1d/0x80
? asm_exc_invalid_op+0x1f/0x30
? __pfx_ssp_get+0x10/0x10
? ssp_get+0x89/0xa0
? ssp_get+0x52/0xa0
__regset_get+0xad/0xf0
copy_regset_to_user+0x52/0xc0
ptrace_regset+0x119/0x140
ptrace_request+0x13c/0x850
? wait_task_inactive+0x142/0x1d0
? do_syscall_64+0x6d/0x90
arch_ptrace+0x102/0x300
[...]
Ensure that shadow stacks are active in a thread before looking them up
in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are
set at the same time, the active check ensures that there will be
something to find in the XSAVE buffer.
[ dhansen: changelog/subject tweaks ]
Solution(s)
References
- CVE-2025-21632
- https://attackerkb.com/topics/CVE-2025-21632
- UBUNTU-USN-7379-1
- UBUNTU-USN-7379-2
- UBUNTU-USN-7380-1
- UBUNTU-USN-7381-1
- UBUNTU-USN-7382-1
- URL-https://git.kernel.org/linus/a9d9c33132d49329ada647e4514d210d15e31d81
- URL-https://git.kernel.org/stable/c/0a3a872214188e4268d31581ed0cd44508e038cf
- URL-https://git.kernel.org/stable/c/6bfe1fc22f462bec87422cdcbec4d7a2f43ff01d
- URL-https://git.kernel.org/stable/c/a9d9c33132d49329ada647e4514d210d15e31d81
- URL-https://ubuntu.com/security/notices/USN-7379-1
- URL-https://ubuntu.com/security/notices/USN-7380-1
- URL-https://ubuntu.com/security/notices/USN-7381-1
- URL-https://ubuntu.com/security/notices/USN-7382-1
- URL-https://www.cve.org/CVERecord?id=CVE-2025-21632
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.