{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39936", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.148Z", "datePublished": "2025-10-04T07:30:59.857Z", "dateUpdated": "2025-10-04T07:30:59.857Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-04T07:30:59.857Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()\n\nWhen\n\n 9770b428b1a2 (\"crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown\")\n\nmoved the error messages dumping so that they don't need to be issued by\nthe callers, it missed the case where __sev_firmware_shutdown() calls\n__sev_platform_shutdown_locked() with a NULL argument which leads to\na NULL ptr deref on the shutdown path, during suspend to disk:\n\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)\n Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022\n RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]\n\nThat rIP is:\n\n 00000000000006fd <__sev_platform_shutdown_locked.cold>:\n 6fd: 8b 13 mov (%rbx),%edx\n 6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi\n 703: 89 c1 mov %eax,%ecx\n\n Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff <8b> 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e\n RSP: 0018:ffffc90005467d00 EFLAGS: 00010282\n RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000\n \t\t\t ^^^^^^^^^^^^^^^^\nand %rbx is nice and clean.\n\n Call Trace:\n <TASK>\n __sev_firmware_shutdown.isra.0\n sev_dev_destroy\n psp_dev_destroy\n sp_destroy\n pci_device_shutdown\n device_shutdown\n kernel_power_off\n hibernate.cold\n state_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nPass in a pointer to the function-local error var in the caller.\n\nWith that addressed, suspending the ccp shows the error properly at\nleast:\n\n ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP\n ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110\n SEV-SNP: Leaking PFN range 0x146800-0x146a00\n SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00]\n ...\n ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0\n ACPI: PM: Preparing to enter system sleep state S5\n kvm: exiting hardware virtualization\n reboot: Power down\n\nBtw, this driver is crying to be cleaned up to pass in a proper I/O\nstruct which can be used to store information between the different\nfunctions, otherwise stuff like that will happen in the future again."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/crypto/ccp/sev-dev.c"], "versions": [{"version": "9770b428b1a28360663f1f5e524ee458b4cf454b", "lessThan": "bc509293c9d4f4f74e776f4a0bbb61f63c041938", "status": "affected", "versionType": "git"}, {"version": "9770b428b1a28360663f1f5e524ee458b4cf454b", "lessThan": "46834d90a9a13549264b9581067d8f746b4b36cc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/crypto/ccp/sev-dev.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.9", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.16.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bc509293c9d4f4f74e776f4a0bbb61f63c041938"}, {"url": "https://git.kernel.org/stable/c/46834d90a9a13549264b9581067d8f746b4b36cc"}], "title": "crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()\n\nWhen\n\n 9770b428b1a2 (\"crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown\")\n\nmoved the error messages dumping so that they don't need to be issued by\nthe callers, it missed the case where __sev_firmware_shutdown() calls\n__sev_platform_shutdown_locked() with a NULL argument which leads to\na NULL ptr deref on the shutdown path, during suspend to disk:\n\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)\n Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022\n RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]\n\nThat rIP is:\n\n 00000000000006fd <__sev_platform_shutdown_locked.cold>:\n 6fd: 8b 13 mov (%rbx),%edx\n 6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi\n 703: 89 c1 mov %eax,%ecx\n\n Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff <8b> 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e\n RSP: 0018:ffffc90005467d00 EFLAGS: 00010282\n RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000\n \t\t\t ^^^^^^^^^^^^^^^^\nand %rbx is nice and clean.\n\n Call Trace:\n <TASK>\n __sev_firmware_shutdown.isra.0\n sev_dev_destroy\n psp_dev_destroy\n sp_destroy\n pci_device_shutdown\n device_shutdown\n kernel_power_off\n hibernate.cold\n state_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nPass in a pointer to the function-local error var in the caller.\n\nWith that addressed, suspending the ccp shows the error properly at\nleast:\n\n ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP\n ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110\n SEV-SNP: Leaking PFN range 0x146800-0x146a00\n SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00]\n ...\n ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0\n ACPI: PM: Preparing to enter system sleep state S5\n kvm: exiting hardware virtualization\n reboot: Power down\n\nBtw, this driver is crying to be cleaned up to pass in a proper I/O\nstruct which can be used to store information between the different\nfunctions, otherwise stuff like that will happen in the future again."}], "id": "CVE-2025-39936", "lastModified": "2025-10-04T08:15:46.460", "metrics": {}, "published": "2025-10-04T08:15:46.460", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/46834d90a9a13549264b9581067d8f746b4b36cc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bc509293c9d4f4f74e776f4a0bbb61f63c041938"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}