{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T22:13:53.050","vulnerabilities":[{"cve":{"id":"CVE-2025-38170","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-03T09:15:32.643","lastModified":"2025-12-18T20:53:13.583","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n| /* With TIF_SME userspace shouldn't generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n| // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n| // task->fpsimd_cpu is 0.\n| // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n| ...\n|\n| // Preempted; migrated from CPU 0 to CPU 1.\n| // TIF_FOREIGN_FPSTATE is set.\n|\n| get_cpu_fpsimd_context();\n|\n| /* With TIF_SME userspace shouldn't generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n|\n| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n| unsigned long vq_minus_one =\n| sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n| sme_set_vq(vq_minus_one);\n|\n| fpsimd_bind_task_to_cpu();\n| }\n|\n| put_cpu_fpsimd_context();\n|\n| // Preempted; migrated from CPU 1 to CPU 0.\n| // task->fpsimd_cpu is still 0\n| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n| // - Stale HW state is reused (with SME traps enabled)\n| // - TIF_FOREIGN_FPSTATE is cleared\n| // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64/fpsimd: Descartar estado de CPU obsoleto al manejar trampas de SME La lógica para manejar trampas de SME manipula incorrectamente el estado FPSIMD/SVE/SME guardado, y una ejecución con preempción puede dar como resultado que una tarea tenga TIF_SME establecido y TIF_FOREIGN_FPSTATE borrado incluso si el estado de CPU en vivo está obsoleto (por ejemplo, con trampas de SME habilitadas). Esto puede dar como resultado advertencias de do_sme_acc() donde no se esperan trampas de SME mientras TIF_SME esté establecido: | /* Con TIF_SME, el espacio de usuario no debería generar ninguna trampa */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); Esto es muy similar al problema de SVE que corregimos en el commit: 751ecf6afd6568ad (\"arm64/sve: descartar estado de CPU obsoleto al manejar trampas de SVE\") La ejecución puede ocurrir cuando el controlador de trampas de SME se interrumpe antes y después de manipular el estado FPSIMD/SVE/SME guardado, comenzando y terminando en la misma CPU, por ejemplo, | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trampa en la CPU 0 con TIF_SME limpio, trampas de SME habilitadas | // task->fpsimd_cpu es 0. | // per_cpu_ptr(&fpsimd_last_state, 0) es la tarea. | | ... | | // Interrumpido; migrado de la CPU 0 a la CPU 1. | // TIF_FOREIGN_FPSTATE está configurado. | | get_cpu_fpsimd_context(); | | /* Con TIF_SME el espacio de usuario no debería generar ninguna trampa */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Interrumpido; migrado de la CPU 1 a la CPU 0. | // task->fpsimd_cpu sigue siendo 0 | // Si per_cpu_ptr(&fpsimd_last_state, 0) sigue siendo tarea, entonces: | // - Se reutiliza el estado de hardware obsoleto (con las trampas de SME habilitadas) | // - Se borra TIF_FOREIGN_FPSTATE | // - Al regresar al espacio de usuario, se omite la restauración del estado de hardware | } Se soluciona el caso en el que el estado no está activo y TIF_FOREIGN_FPSTATE se establece llamando a fpsimd_flush_task_state() para separarlo del estado de CPU guardado. Esto garantiza que un cambio de contexto posterior no reutilice el estado de CPU obsoleto, sino que establezca TIF_FOREIGN_FPSTATE, forzando la recarga del nuevo estado desde la memoria antes de regresar al espacio de usuario. Nota: esto se publicó originalmente como [1]. [Rutland: reescribir el mensaje de confirmación]"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.1.142","matchCriteriaId":"8AC7C3FA-F2C7-4A80-A5BB-45E85C1E2C78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.94","matchCriteriaId":"304E3F01-7D7A-4908-994E-7F95C5C00B06"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.34","matchCriteriaId":"4FFA54AA-CDFE-4591-BD07-72813D0948F4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.3","matchCriteriaId":"0541C761-BD5E-4C1A-8432-83B375D7EB92"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}