ghsa-fcxj-8496-8247
Vulnerability from github
Published
2025-04-01 18:30
Modified
2025-04-01 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs

Gen 2 Hyper-V VMs boot via EFI and have a standard EFI framebuffer device. When the kdump kernel runs in such a VM, loading the efifb driver may hang because of accessing the framebuffer at the wrong memory address.

The scenario occurs when the hyperv_fb driver in the original kernel moves the framebuffer to a different MMIO address because of conflicts with an already-running efifb or simplefb driver. The hyperv_fb driver then informs Hyper-V of the change, which is allowed by the Hyper-V FB VMBus device protocol. However, when the kexec command loads the kdump kernel into crash memory via the kexec_file_load() system call, the system call doesn't know the framebuffer has moved, and it sets up the kdump screen_info using the original framebuffer address. The transition to the kdump kernel does not go through the Hyper-V host, so Hyper-V does not reset the framebuffer address like it would do on a reboot. When efifb tries to run, it accesses a non-existent framebuffer address, which traps to the Hyper-V host. After many such accesses, the Hyper-V host thinks the guest is being malicious, and throttles the guest to the point that it runs very slowly or appears to have hung.

When the kdump kernel is loaded into crash memory via the kexec_load() system call, the problem does not occur. In this case, the kexec command builds the screen_info table itself in user space from data returned by the FBIOGET_FSCREENINFO ioctl against /dev/fb0, which gives it the new framebuffer location.

This problem was originally reported in 2020 [1], resulting in commit 3cb73bc3fa2a ("hyperv_fb: Update screen_info after removing old framebuffer"). This commit solved the problem by setting orig_video_isVGA to 0, so the kdump kernel was unaware of the EFI framebuffer. The efifb driver did not try to load, and no hang occurred. But in 2024, commit c25a19afb81c ("fbdev/hyperv_fb: Do not clear global screen_info") effectively reverted 3cb73bc3fa2a. Commit c25a19afb81c has no reference to 3cb73bc3fa2a, so perhaps it was done without knowing the implications that were reported with 3cb73bc3fa2a. In any case, as of commit c25a19afb81c, the original problem came back again.

Interestingly, the hyperv_drm driver does not have this problem because it never moves the framebuffer. The difference is that the hyperv_drm driver removes any conflicting framebuffers before allocating an MMIO address, while the hyperv_fb drivers removes conflicting framebuffers after allocating an MMIO address. With the "after" ordering, hyperv_fb may encounter a conflict and move the framebuffer to a different MMIO address. But the conflict is essentially bogus because it is removed a few lines of code later.

Rather than fix the problem with the approach from 2020 in commit 3cb73bc3fa2a, instead slightly reorder the steps in hyperv_fb so conflicting framebuffers are removed before allocating an MMIO address. Then the default framebuffer MMIO address should always be available, and there's never any confusion about which framebuffer address the kdump kernel should use -- it's always the original address provided by the Hyper-V host. This approach is already used by the hyperv_drm driver, and is consistent with the usage guidelines at the head of the module with the function aperture_remove_conflicting_devices().

This approach also solves a related minor problem when kexec_load() is used to load the kdump kernel. With current code, unbinding and rebinding the hyperv_fb driver could result in the framebuffer moving back to the default framebuffer address, because on the rebind there are no conflicts. If such a move is done after the kdump kernel is loaded with the new framebuffer address, at kdump time it could again have the wrong address.

This problem and fix are described in terms of the kdump kernel, but it can also occur ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21977"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:29Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs\n\nGen 2 Hyper-V VMs boot via EFI and have a standard EFI framebuffer\ndevice. When the kdump kernel runs in such a VM, loading the efifb\ndriver may hang because of accessing the framebuffer at the wrong\nmemory address.\n\nThe scenario occurs when the hyperv_fb driver in the original kernel\nmoves the framebuffer to a different MMIO address because of conflicts\nwith an already-running efifb or simplefb driver. The hyperv_fb driver\nthen informs Hyper-V of the change, which is allowed by the Hyper-V FB\nVMBus device protocol. However, when the kexec command loads the kdump\nkernel into crash memory via the kexec_file_load() system call, the\nsystem call doesn\u0027t know the framebuffer has moved, and it sets up the\nkdump screen_info using the original framebuffer address. The transition\nto the kdump kernel does not go through the Hyper-V host, so Hyper-V\ndoes not reset the framebuffer address like it would do on a reboot.\nWhen efifb tries to run, it accesses a non-existent framebuffer\naddress, which traps to the Hyper-V host. After many such accesses,\nthe Hyper-V host thinks the guest is being malicious, and throttles\nthe guest to the point that it runs very slowly or appears to have hung.\n\nWhen the kdump kernel is loaded into crash memory via the kexec_load()\nsystem call, the problem does not occur. In this case, the kexec command\nbuilds the screen_info table itself in user space from data returned\nby the FBIOGET_FSCREENINFO ioctl against /dev/fb0, which gives it the\nnew framebuffer location.\n\nThis problem was originally reported in 2020 [1], resulting in commit\n3cb73bc3fa2a (\"hyperv_fb: Update screen_info after removing old\nframebuffer\"). This commit solved the problem by setting orig_video_isVGA\nto 0, so the kdump kernel was unaware of the EFI framebuffer. The efifb\ndriver did not try to load, and no hang occurred. But in 2024, commit\nc25a19afb81c (\"fbdev/hyperv_fb: Do not clear global screen_info\")\neffectively reverted 3cb73bc3fa2a. Commit c25a19afb81c has no reference\nto 3cb73bc3fa2a, so perhaps it was done without knowing the implications\nthat were reported with 3cb73bc3fa2a. In any case, as of commit\nc25a19afb81c, the original problem came back again.\n\nInterestingly, the hyperv_drm driver does not have this problem because\nit never moves the framebuffer. The difference is that the hyperv_drm\ndriver removes any conflicting framebuffers *before* allocating an MMIO\naddress, while the hyperv_fb drivers removes conflicting framebuffers\n*after* allocating an MMIO address. With the \"after\" ordering, hyperv_fb\nmay encounter a conflict and move the framebuffer to a different MMIO\naddress. But the conflict is essentially bogus because it is removed\na few lines of code later.\n\nRather than fix the problem with the approach from 2020 in commit\n3cb73bc3fa2a, instead slightly reorder the steps in hyperv_fb so\nconflicting framebuffers are removed before allocating an MMIO address.\nThen the default framebuffer MMIO address should always be available, and\nthere\u0027s never any confusion about which framebuffer address the kdump\nkernel should use -- it\u0027s always the original address provided by\nthe Hyper-V host. This approach is already used by the hyperv_drm\ndriver, and is consistent with the usage guidelines at the head of\nthe module with the function aperture_remove_conflicting_devices().\n\nThis approach also solves a related minor problem when kexec_load()\nis used to load the kdump kernel. With current code, unbinding and\nrebinding the hyperv_fb driver could result in the framebuffer moving\nback to the default framebuffer address, because on the rebind there\nare no conflicts. If such a move is done after the kdump kernel is\nloaded with the new framebuffer address, at kdump time it could again\nhave the wrong address.\n\nThis problem and fix are described in terms of the kdump kernel, but\nit can also occur\n---truncated---",
  "id": "GHSA-fcxj-8496-8247",
  "modified": "2025-04-01T18:30:54Z",
  "published": "2025-04-01T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21977"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2924802d35e00a36b1503a4e786f1926b2fdc1d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/304386373007aaca9236a3f36afac0bbedcd2bf0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cfffe46a994ac6d5de3b119917680ea1e9a96125"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.