7.8

CVE-2025-21991

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

In the Linux kernel, the following vulnerability has been resolved:

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their
CPU masks and unconditionally accesses per-CPU data for the first CPU of each
mask.

According to Documentation/admin-guide/mm/numaperf.rst:

  "Some memory may share the same node as a CPU, and others are provided as
  memory only nodes."

Therefore, some node CPU masks may be empty and wouldn't have a "first CPU".

On a machine with far memory (and therefore CPU-less NUMA nodes):
- cpumask_of_node(nid) is 0
- cpumask_first(0) is CONFIG_NR_CPUS
- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an
  index that is 1 out of bounds

This does not have any security implications since flashing microcode is
a privileged operation but I believe this has reliability implications by
potentially corrupting memory while flashing a microcode update.

When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes
a microcode update. I get the following splat:

  UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y
  index 512 is out of range for type 'unsigned long[512]'
  [...]
  Call Trace:
   dump_stack
   __ubsan_handle_out_of_bounds
   load_microcode_amd
   request_microcode_amd
   reload_store
   kernfs_fop_write_iter
   vfs_write
   ksys_write
   do_syscall_64
   entry_SYSCALL_64_after_hwframe

Change the loop to go over only NUMA nodes which have CPUs before determining
whether the first CPU on the respective node needs microcode update.

  [ bp: Massage commit message, fix typo. ]
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.14.308 < 4.15
LinuxLinux Kernel Version >= 4.19.276 < 4.20
LinuxLinux Kernel Version >= 5.4.235 < 5.5
LinuxLinux Kernel Version >= 5.10.173 < 5.11
LinuxLinux Kernel Version >= 5.15.99 < 5.16
LinuxLinux Kernel Version >= 6.1.16 < 6.1.132
LinuxLinux Kernel Version >= 6.2.3 < 6.6.84
LinuxLinux Kernel Version >= 6.7 < 6.12.20
LinuxLinux Kernel Version >= 6.13 < 6.13.8
LinuxLinux Kernel Version6.14 Updaterc1
LinuxLinux Kernel Version6.14 Updaterc2
LinuxLinux Kernel Version6.14 Updaterc3
LinuxLinux Kernel Version6.14 Updaterc4
LinuxLinux Kernel Version6.14 Updaterc5
LinuxLinux Kernel Version6.14 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.094
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593
Patch
https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665
Patch
https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59
Patch
https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0
Patch
https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4
Patch
https://git.kernel.org/stable/c/18b5d857c6496b78ead2fd10001b81ae32d30cac
Patch
https://git.kernel.org/stable/c/985a536e04bbfffb1770df43c6470f635a6b1073
Patch
https://git.kernel.org/stable/c/d509c4731090ebd9bbdb72c70a2d70003ae81f4f
Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html