CVE-2025-39936
- Published: 2025-10-04T08:15:46.460
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp – Always pass in an error pointer to __sev_platform_shutdown_locked()
When
9770b428b1a2 (“crypto: ccp – Move dev_info/err messages for SEV/SNP init and shutdown”)
moved the error messages dumping so that they don’t need to be issued by
the callers, it missed the case where __sev_firmware_shutdown() calls
__sev_platform_shutdown_locked() with a NULL argument which leads to
a NULL ptr deref on the shutdown path, during suspend to disk:
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) – not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)
Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022
RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]
That rIP is:
00000000000006fd :
6fd: 8b 13 mov (%rbx),%edx
6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi
703: 89 c1 mov %eax,%ecx
Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e
RSP: 0018:ffffc90005467d00 EFLAGS: 00010282
RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000
^^^^^^^^^^^^^^^^
and %rbx is nice and clean.
Call Trace:
__sev_firmware_shutdown.isra.0
sev_dev_destroy
psp_dev_destroy
sp_destroy
pci_device_shutdown
device_shutdown
kernel_power_off
hibernate.cold
state_store
kernfs_fop_write_iter
vfs_write
ksys_write
do_syscall_64
entry_SYSCALL_64_after_hwframe
Pass in a pointer to the function-local error var in the caller.
With that addressed, suspending the ccp shows the error properly at
least:
ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP
ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110
SEV-SNP: Leaking PFN range 0x146800-0x146a00
SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 – 0x146a00]
…
ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0
ACPI: PM: Preparing to enter system sleep state S5
kvm: exiting hardware virtualization
reboot: Power down
Btw, this driver is crying to be cleaned up to pass in a proper I/O
struct which can be used to store information between the different
functions, otherwise stuff like that will happen in the future again.
Related CVE by CWE
No related CWE found.
Top CVE for Vendor
No vendor taxonomy on this entry.
Recently Exploited Similar Vulnerabilities
No recent KEV-listed items for this vendor/product.
How to fix CVE-2025-39936
Description: In the Linux kernel, the following vulnerability has been resolved: crypto: ccp – Always pass in an error pointer to __sev_platform_shutdown_locked() When 9770b428b1a2 (“crypto: ccp – Move dev_info/err messages for SEV/SNP init and shutdown”) moved the error messages dumping so that they don’t need to be issued by the callers, it missed the case where […]
Exploit Difficulty: HARD
⏱️ Time to exploit: > 4 hours
🛠️ Required skills: Advanced security expertise
💰 Public exploits: Rare or not public
How to Fix:
- Check if you're running the affected product
- Update to the latest patched version
- If patching is not immediately possible: restrict network exposure, apply least-privilege access
- Test the fix in a staging environment first
- Review logs for signs of exploitation
- Monitor for IOCs (Indicators of Compromise)
- Enable automatic security updates
- Set up vulnerability monitoring
- Review and harden security configurations
Exploit Difficulty Assessment
Vulnerability Timeline
CVE details first published to NVD database
Added to this CVE tracking system
Detection Rules & IOCs
No specific detection rules generated for this vulnerability type.
No vendor/product data available.