CVE-2025-38508 (GCVE-0-2025-38508)
Vulnerability from cvelistv5
Published
2025-08-16 10:54
Modified
2025-08-16 10:54
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation When using Secure TSC, the GUEST_TSC_FREQ MSR reports a frequency based on the nominal P0 frequency, which deviates slightly (typically ~0.2%) from the actual mean TSC frequency due to clocking parameters. Over extended VM uptime, this discrepancy accumulates, causing clock skew between the hypervisor and a SEV-SNP VM, leading to early timer interrupts as perceived by the guest. The guest kernel relies on the reported nominal frequency for TSC-based timekeeping, while the actual frequency set during SNP_LAUNCH_START may differ. This mismatch results in inaccurate time calculations, causing the guest to perceive hrtimers as firing earlier than expected. Utilize the TSC_FACTOR from the SEV firmware's secrets page (see "Secrets Page Format" in the SNP Firmware ABI Specification) to calculate the mean TSC frequency, ensuring accurate timekeeping and mitigating clock skew in SEV-SNP VMs. Use early_ioremap_encrypted() to map the secrets page as ioremap_encrypted() uses kmalloc() which is not available during early TSC initialization and causes a panic. [ bp: Drop the silly dummy var: https://lore.kernel.org/r/20250630192726.GBaGLlHl84xIopx4Pt@fat_crate.local ]
References
Impacted products
Vendor Product Version
Linux Linux Version: 73bbf3b0fbba9aa27fef07a1fbd837661a863f03
Version: 73bbf3b0fbba9aa27fef07a1fbd837661a863f03
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/coco/sev/core.c",
            "arch/x86/include/asm/sev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d0195c42e65805938c9eb507657e7cdf8e1e9522",
              "status": "affected",
              "version": "73bbf3b0fbba9aa27fef07a1fbd837661a863f03",
              "versionType": "git"
            },
            {
              "lessThan": "52e1a03e6cf61ae165f59f41c44394a653a0a788",
              "status": "affected",
              "version": "73bbf3b0fbba9aa27fef07a1fbd837661a863f03",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/coco/sev/core.c",
            "arch/x86/include/asm/sev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Use TSC_FACTOR for Secure TSC frequency calculation\n\nWhen using Secure TSC, the GUEST_TSC_FREQ MSR reports a frequency based on\nthe nominal P0 frequency, which deviates slightly (typically ~0.2%) from\nthe actual mean TSC frequency due to clocking parameters.\n\nOver extended VM uptime, this discrepancy accumulates, causing clock skew\nbetween the hypervisor and a SEV-SNP VM, leading to early timer interrupts as\nperceived by the guest.\n\nThe guest kernel relies on the reported nominal frequency for TSC-based\ntimekeeping, while the actual frequency set during SNP_LAUNCH_START may\ndiffer. This mismatch results in inaccurate time calculations, causing the\nguest to perceive hrtimers as firing earlier than expected.\n\nUtilize the TSC_FACTOR from the SEV firmware\u0027s secrets page (see \"Secrets\nPage Format\" in the SNP Firmware ABI Specification) to calculate the mean\nTSC frequency, ensuring accurate timekeeping and mitigating clock skew in\nSEV-SNP VMs.\n\nUse early_ioremap_encrypted() to map the secrets page as\nioremap_encrypted() uses kmalloc() which is not available during early TSC\ninitialization and causes a panic.\n\n  [ bp: Drop the silly dummy var:\n    https://lore.kernel.org/r/20250630192726.GBaGLlHl84xIopx4Pt@fat_crate.local ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T10:54:45.567Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d0195c42e65805938c9eb507657e7cdf8e1e9522"
        },
        {
          "url": "https://git.kernel.org/stable/c/52e1a03e6cf61ae165f59f41c44394a653a0a788"
        }
      ],
      "title": "x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38508",
    "datePublished": "2025-08-16T10:54:45.567Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-08-16T10:54:45.567Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38508\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-16T11:15:43.773\",\"lastModified\":\"2025-08-18T20:16:28.750\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/sev: Use TSC_FACTOR for Secure TSC frequency calculation\\n\\nWhen using Secure TSC, the GUEST_TSC_FREQ MSR reports a frequency based on\\nthe nominal P0 frequency, which deviates slightly (typically ~0.2%) from\\nthe actual mean TSC frequency due to clocking parameters.\\n\\nOver extended VM uptime, this discrepancy accumulates, causing clock skew\\nbetween the hypervisor and a SEV-SNP VM, leading to early timer interrupts as\\nperceived by the guest.\\n\\nThe guest kernel relies on the reported nominal frequency for TSC-based\\ntimekeeping, while the actual frequency set during SNP_LAUNCH_START may\\ndiffer. This mismatch results in inaccurate time calculations, causing the\\nguest to perceive hrtimers as firing earlier than expected.\\n\\nUtilize the TSC_FACTOR from the SEV firmware\u0027s secrets page (see \\\"Secrets\\nPage Format\\\" in the SNP Firmware ABI Specification) to calculate the mean\\nTSC frequency, ensuring accurate timekeeping and mitigating clock skew in\\nSEV-SNP VMs.\\n\\nUse early_ioremap_encrypted() to map the secrets page as\\nioremap_encrypted() uses kmalloc() which is not available during early TSC\\ninitialization and causes a panic.\\n\\n  [ bp: Drop the silly dummy var:\\n    https://lore.kernel.org/r/20250630192726.GBaGLlHl84xIopx4Pt@fat_crate.local ]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/sev: Usar TSC_FACTOR para el c\u00e1lculo de frecuencia de Secure TSC. Al usar Secure TSC, el MSR GUEST_TSC_FREQ informa una frecuencia basada en la frecuencia P0 nominal, que se desv\u00eda ligeramente (normalmente ~0,2 %) de la frecuencia media real de TSC debido a los par\u00e1metros de reloj. Con el tiempo de actividad prolongado de la m\u00e1quina virtual, esta discrepancia se acumula, causando un sesgo de reloj entre el hipervisor y una m\u00e1quina virtual SEV-SNP, lo que lleva a interrupciones tempranas del temporizador seg\u00fan lo percibe el invitado. El kernel invitado se basa en la frecuencia nominal informada para el control de tiempo basado en TSC, mientras que la frecuencia real establecida durante SNP_LAUNCH_START puede diferir. Esta falta de coincidencia resulta en c\u00e1lculos de tiempo inexactos, lo que hace que el invitado perciba que los temporizadores hr se activan antes de lo esperado. Utilice el factor TSC_FACTOR de la p\u00e1gina de secretos del firmware SEV (consulte \\\"Formato de la p\u00e1gina de secretos\\\" en la especificaci\u00f3n ABI del firmware SNP) para calcular la frecuencia media de TSC, lo que garantiza una sincronizaci\u00f3n precisa y mitiga el desfase de reloj en las m\u00e1quinas virtuales SEV-SNP. Utilice early_ioremap_encrypted() para mapear la p\u00e1gina de secretos, ya que ioremap_encrypted() utiliza kmalloc(), que no est\u00e1 disponible durante la inicializaci\u00f3n temprana de TSC y provoca un p\u00e1nico. [bp: Eliminar la variable ficticia: https://lore.kernel.org/r/20250630192726.GBaGLlHl84xIopx4Pt@fat_crate.local]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/52e1a03e6cf61ae165f59f41c44394a653a0a788\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d0195c42e65805938c9eb507657e7cdf8e1e9522\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.