CVE-2025-39961 (CNNVD-202510-1348)

UNKNOWN
中文标题:
Linux kernel 安全漏洞
英文标题:
iommu/amd/pgtbl: Fix possible race while increase page table level
CVSS分数: N/A
发布时间: 2025-10-09 12:13:22
漏洞类型: 其他
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于AMD IOMMU主机页表实现中存在竞争条件,可能导致读取错误的页表级别。

英文描述:

In the Linux kernel, the following vulnerability has been resolved: iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path.

CWE类型:
(暂无数据)
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
Linux Linux 6fb92f18555a7b8e085267d513612dc0ff9a5360 - - cpe:2.3:a:linux:linux:6fb92f18555a7b8e085267d513612dc0ff9a5360:*:*:*:*:*:*:*
Linux Linux b15bf74405faa1a65025eb8a6eb337e140e5250a - - cpe:2.3:a:linux:linux:b15bf74405faa1a65025eb8a6eb337e140e5250a:*:*:*:*:*:*:*
Linux Linux 0d50f7b1e8c80a8c20db5049e269468c059b0378 - - cpe:2.3:a:linux:linux:0d50f7b1e8c80a8c20db5049e269468c059b0378:*:*:*:*:*:*:*
Linux Linux 785ca708a908b9c596ede852470ba28b8dc3e40b - - cpe:2.3:a:linux:linux:785ca708a908b9c596ede852470ba28b8dc3e40b:*:*:*:*:*:*:*
Linux Linux 5.3 - - cpe:2.3:a:linux:linux:5.3:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题 OTHER
cve.org
访问
无标题 OTHER
cve.org
访问
无标题 OTHER
cve.org
访问
无标题 OTHER
cve.org
访问
CVSS评分详情
暂无CVSS评分信息
时间信息
发布时间:
2025-10-09 12:13:22
修改时间:
2025-10-09 12:13:22
创建时间:
2025-11-11 15:40:29
更新时间:
2025-11-11 16:00:16
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2025-39961 2025-11-11 15:23:19 2025-11-11 07:40:29
NVD nvd_CVE-2025-39961 2025-11-11 15:01:05 2025-11-11 07:48:18
CNNVD cnnvd_CNNVD-202510-1348 2025-11-11 15:12:29 2025-11-11 08:00:16
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 16:00:16
vulnerability_type: 未提取 → 其他; severity: SeverityLevel.MEDIUM → SeverityLevel.UNKNOWN; cvss_score: 未提取 → 0.0; cnnvd_id: 未提取 → CNNVD-202510-1348; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 其他
  • severity: SeverityLevel.MEDIUM -> SeverityLevel.UNKNOWN
  • cvss_score: 未提取 -> 0.0
  • cnnvd_id: 未提取 -> CNNVD-202510-1348
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:48:18
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']