CVE-2025-21632 - Linux Kernel Vulnerability Resolved: Ensuring Active Shadow Stack before "Getting" Registers

In the Linux kernel, a vulnerability has been resolved involving the x86 shadow stack support. This vulnerability affects the way shadow stack registers are handled, specifically ensuring that the shadow stack is active before "getting" registers. It is important to address this vulnerability in order to maintain the stability and security of the Linux kernel.

The x86 shadow stack support has a separate set of registers that are managed through XSAVE, but cannot be accessed by userspace through XSAVE/XRSTOR. This means that these registers are not accessible using the existing ptrace ABI for XSAVE state. A new ptrace get/set interface has been introduced to address this issue.

Original references and details related to this vulnerability can be found in the Linux kernel source code:

- https://lwn.net/Articles/847952/
- https://github.com/torvalds/linux/blob/master/arch/x86/kernel/fpu/regset.c

The regset code used by ptrace provides an ->active() handler along with the get/set ones. For the shadow stack, this ->active() handler verifies that the shadow stack is enabled through the ARCH_SHSTK_SHSTK bit in the thread structures. The ->active() handler is checked from some call sites of the regset get/set handlers, but not the ptrace ones. This issue was not properly understood when shadow stack support was initially implemented.

As a consequence, both the set/get handlers can be called with XFEATURE_CET_USER in their init state, causing get_xsave_addr() to return NULL and trigger a WARN_ON(). The ssp_set() handler has an ssp_active() check to prevent the kernel from exhibiting unexpected shadow stack behavior when it is not prepared for it (ARCH_SHSTK_SHSTK == ). This check helped to avoid the warning.

Unfortunately, the ->get() side was not as fortunate. It could be called with shadow stacks disabled, triggering the warning in practice, as reported by Christina Schimpe:

WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+x89/xa
[...]
Call Trace:
<TASK>
? show_regs+x6e/x80
? ssp_get+x89/xa
? __warn+x91/x150
? ssp_get+x89/xa
? report_bug+x19d/x1b
? handle_bug+x46/x80
? exc_invalid_op+x1d/x80
? asm_exc_invalid_op+x1f/x30
? __pfx_ssp_get+x10/x10
? ssp_get+x89/xa
? ssp_get+x52/xa
__regset_get+xad/xf
copy_regset_to_user+x52/xc
ptrace_regset+x119/x140
ptrace_request+x13c/x850
? wait_task_inactive+x142/x1d
? do_syscall_64+x6d/x90
arch_ptrace+x102/x300
[...]

To resolve this vulnerability, the patch ensures that the shadow stacks are active in a thread before searching for them in the XSAVE buffer. As ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are set simultaneously, the active check guarantees that there will be something to locate in the XSAVE buffer.

Please make sure to update your Linux kernel to the latest version, which includes this patch, to mitigate this vulnerability and ensure the security and stability of your system.

Timeline

Published on: 01/19/2025 11:15:08 UTC
Last modified on: 01/20/2025 06:29:48 UTC