CVE-2025-21991

{"id": "CVE-2025-21991", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-04-02T13:15:43.670", "references": [{"url": "https://git.kernel.org/stable/c/18b5d857c6496b78ead2fd10001b81ae32d30cac", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/985a536e04bbfffb1770df43c6470f635a6b1073", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d509c4731090ebd9bbdb72c70a2d70003ae81f4f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-129"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes\n\nCurrently, load_microcode_amd() iterates over all NUMA nodes, retrieves their\nCPU masks and unconditionally accesses per-CPU data for the first CPU of each\nmask.\n\nAccording to Documentation/admin-guide/mm/numaperf.rst:\n\n \"Some memory may share the same node as a CPU, and others are provided as\n memory only nodes.\"\n\nTherefore, some node CPU masks may be empty and wouldn't have a \"first CPU\".\n\nOn a machine with far memory (and therefore CPU-less NUMA nodes):\n- cpumask_of_node(nid) is 0\n- cpumask_first(0) is CONFIG_NR_CPUS\n- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an\n index that is 1 out of bounds\n\nThis does not have any security implications since flashing microcode is\na privileged operation but I believe this has reliability implications by\npotentially corrupting memory while flashing a microcode update.\n\nWhen booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes\na microcode update. I get the following splat:\n\n UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y\n index 512 is out of range for type 'unsigned long[512]'\n [...]\n Call Trace:\n dump_stack\n __ubsan_handle_out_of_bounds\n load_microcode_amd\n request_microcode_amd\n reload_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nChange the loop to go over only NUMA nodes which have CPUs before determining\nwhether the first CPU on the respective node needs microcode update.\n\n [ bp: Massage commit message, fix typo. ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/microcode/AMD: Se corrigi\u00f3 un error fuera de los l\u00edmites en sistemas con nodos NUMA sin CPU. Actualmente, load_microcode_amd() itera sobre todos los nodos NUMA, recupera sus m\u00e1scaras de CPU y accede incondicionalmente a los datos por CPU para la primera CPU de cada m\u00e1scara. Seg\u00fan Documentation/admin-guide/mm/numaperf.rst: \"Algunas memorias pueden compartir el mismo nodo que una CPU, mientras que otras se proporcionan como nodos de solo memoria\". Por lo tanto, algunas m\u00e1scaras de CPU de nodo podr\u00edan estar vac\u00edas y no tendr\u00edan una \"primera CPU\". En una m\u00e1quina con memoria extensa (y, por lo tanto, nodos NUMA sin CPU): - cpumask_of_node(nid) es 0 - cpumask_first(0) es CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accede a la matriz por CPU cpu_info en un \u00edndice que es 1 fuera de los l\u00edmites. Esto no tiene implicaciones de seguridad, ya que la actualizaci\u00f3n de microc\u00f3digo es una operaci\u00f3n privilegiada, pero creo que tiene implicaciones de confiabilidad al potencialmente corromper la memoria durante la actualizaci\u00f3n de microc\u00f3digo. Al arrancar con CONFIG_UBSAN_BOUNDS=y en una m\u00e1quina AMD que actualiza microc\u00f3digo. Recibo el siguiente mensaje: UBSAN: array-index-out-of-bounds en arch/x86/kernel/cpu/microcode/amd.c:X:Y el \u00edndice 512 est\u00e1 fuera de rango para el tipo 'unsigned long[512]' [...] Seguimiento de llamadas: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Cambie el bucle para que solo recorra los nodos NUMA que tengan CPU antes de determinar si la primera CPU en el nodo respectivo necesita una actualizaci\u00f3n de microc\u00f3digo. [bp: Mensaje de confirmaci\u00f3n de Massage, correcci\u00f3n de error tipogr\u00e1fico.]"}], "lastModified": "2025-04-10T13:24:35.230", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83683E88-BE16-4997-9FDC-102DF930322C", "versionEndExcluding": "4.15", "versionStartIncluding": "4.14.308"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5495F696-4F37-41A0-9020-F01C49FD103A", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.276"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B84C064-16CC-43FA-AE76-F62E41B8DCFA", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.235"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF6A0A9F-CF01-4C06-A4AC-AC7810053C8C", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.173"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55A594E3-39FC-4F69-9614-C6FC3967986F", "versionEndExcluding": "5.16", "versionStartIncluding": "5.15.99"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A183DD1-F3ED-43BE-99D2-3EA122C43457", "versionEndExcluding": "6.1.132", "versionStartIncluding": "6.1.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3405E1B5-835A-4D00-A7C5-AEA51D851B70", "versionEndExcluding": "6.6.84", "versionStartIncluding": "6.2.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60E9C5DF-D778-4572-848A-5D6CFFE022CA", "versionEndExcluding": "6.12.20", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A20D4D7-B329-4C68-B662-76062EA7DCF0", "versionEndExcluding": "6.13.8", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1759FFB7-531C-41B1-9AE1-FD3D80E0D920"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}