Home

Description

In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly When an extended state component is not present in fpstate, but in init state, the function copies from init_fpstate via copy_feature(). But, dynamic states are not present in init_fpstate because of all-zeros init states. Then retrieving them from init_fpstate will explode like this: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:memcpy_erms+0x6/0x10 ? __copy_xstate_to_uabi_buf+0x381/0x870 fpu_copy_guest_fpstate_to_uabi+0x28/0x80 kvm_arch_vcpu_ioctl+0x14c/0x1460 [kvm] ? __this_cpu_preempt_check+0x13/0x20 ? vmx_vcpu_put+0x2e/0x260 [kvm_intel] kvm_vcpu_ioctl+0xea/0x6b0 [kvm] ? kvm_vcpu_ioctl+0xea/0x6b0 [kvm] ? __fget_light+0xd4/0x130 __x64_sys_ioctl+0xe3/0x910 ? debug_smp_processor_id+0x17/0x20 ? fpregs_assert_state_consistent+0x27/0x50 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Adjust the 'mask' to zero out the userspace buffer for the features that are not available both from fpstate and from init_fpstate. The dynamic features depend on the compacted XSAVE format. Ensure it is enabled before reading XCOMP_BV in init_fpstate.

PUBLISHED Reserved 2025-09-17 | Published 2025-10-01 | Updated 2025-10-01 | Assigner Linux

Product status

Default status
unaffected

2308ee57d93d896618dd65c996429c9d3e469fe0 before 6ff29642fd28965a8f8d6d326ac91bf6075f3113
affected

2308ee57d93d896618dd65c996429c9d3e469fe0 before 471f0aa7fa64e23766a1473b32d9ec3f0718895a
affected

Default status
affected

5.16
affected

Any version before 5.16
unaffected

6.0.7
unaffected

6.1
unaffected

References

git.kernel.org/...c/6ff29642fd28965a8f8d6d326ac91bf6075f3113

git.kernel.org/...c/471f0aa7fa64e23766a1473b32d9ec3f0718895a

cve.org (CVE-2022-50425)

nvd.nist.gov (CVE-2022-50425)

Download JSON