{ "affected": [ { "ranges": [ { "events": [ { "introduced": "9770b428b1a28360663f1f5e524ee458b4cf454b" }, { "fixed": "bc509293c9d4f4f74e776f4a0bbb61f63c041938" }, { "fixed": "46834d90a9a13549264b9581067d8f746b4b36cc" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39936.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()\n\nWhen\n\n 9770b428b1a2 (\"crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown\")\n\nmoved the error messages dumping so that they don't need to be issued by\nthe callers, it missed the case where __sev_firmware_shutdown() calls\n__sev_platform_shutdown_locked() with a NULL argument which leads to\na NULL ptr deref on the shutdown path, during suspend to disk:\n\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)\n Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022\n RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]\n\nThat rIP is:\n\n 00000000000006fd \u003c__sev_platform_shutdown_locked.cold\u003e:\n 6fd: 8b 13 mov (%rbx),%edx\n 6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi\n 703: 89 c1 mov %eax,%ecx\n\n Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff \u003c8b\u003e 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e\n RSP: 0018:ffffc90005467d00 EFLAGS: 00010282\n RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000\n \t\t\t ^^^^^^^^^^^^^^^^\nand %rbx is nice and clean.\n\n Call Trace:\n \u003cTASK\u003e\n __sev_firmware_shutdown.isra.0\n sev_dev_destroy\n psp_dev_destroy\n sp_destroy\n pci_device_shutdown\n device_shutdown\n kernel_power_off\n hibernate.cold\n state_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nPass in a pointer to the function-local error var in the caller.\n\nWith that addressed, suspending the ccp shows the error properly at\nleast:\n\n ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP\n ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110\n SEV-SNP: Leaking PFN range 0x146800-0x146a00\n SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00]\n ...\n ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0\n ACPI: PM: Preparing to enter system sleep state S5\n kvm: exiting hardware virtualization\n reboot: Power down\n\nBtw, this driver is crying to be cleaned up to pass in a proper I/O\nstruct which can be used to store information between the different\nfunctions, otherwise stuff like that will happen in the future again.", "id": "CVE-2025-39936", "modified": "2026-04-01T23:09:22.068534729Z", "published": "2025-10-04T07:30:59.857Z", "references": [ { "type": "WEB", "url": "https://git.kernel.org/stable/c/46834d90a9a13549264b9581067d8f746b4b36cc" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/bc509293c9d4f4f74e776f4a0bbb61f63c041938" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39936.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39936" }, { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" } ], "schema_version": "1.7.3", "summary": "crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()" }