CVE-2025-22022

{"id": "CVE-2025-22022", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-04-16T11:15:42.883", "references": [{"url": "https://git.kernel.org/stable/c/061a1683bae6ef56ab8fa392725ba7495515cd1d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/43a18225150ce874d23b37761c302a5dffee1595", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a4931d9fb99eb5462f3eaa231999d279c40afb21", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb0ba4cb1065e87f9cc75db1fa454e56d0894d01", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt's possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don't know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial \"PCIe splitter\" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit's not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: xhci: Aplicar la peculiaridad de la cadena de enlace en los endpoints isoc de NEC Se observ\u00f3 que dos ejemplares claramente diferentes de NEC uPD720200 (uno con un error de inicio/detenci\u00f3n y otro sin \u00e9l) causaban fallas de IOMMU despu\u00e9s de algunos errores de servicio perdido. La direcci\u00f3n con fallas se encuentra inmediatamente despu\u00e9s de un segmento de anillo de transferencia y los mensajes de depuraci\u00f3n din\u00e1mica parcheados revelaron que se recibi\u00f3 el MSE cuando se esperaba un TD cerca del final de ese segmento: [1.041954] xhci_hcd: Error de intervalo de servicio faltante para la ranura 1 ep 2 se esperaba TD DMA ffa08fe0 [1.042120] xhci_hcd: AMD-Vi: Evento registrado [IO_PAGE_FAULT dominio=0x0005 direcci\u00f3n=0xffa09000 indicadores=0x0000] [1.042146] xhci_hcd: AMD-Vi: Evento registrado [IO_PAGE_FAULT dominio=0x0005 direcci\u00f3n=0xffa09040 indicadores=0x0000] Se vuelve a\u00fan m\u00e1s divertido si la siguiente p\u00e1gina es un segmento de anillo accesible para el HC. A continuaci\u00f3n, informa MSE en el segmento en ff1e8000, recorre una p\u00e1gina llena de ceros en ff1e9000 y comienza a informar eventos para TRB en la p\u00e1gina en ff1ea000 cada microtrama, en lugar de saltar al segmento ff1e6000. [7.041671] xhci_hcd: Error de intervalo de servicio perdido para la ranura 1 ep 2 esperada TD DMA ff1e8fe0 [7.041999] xhci_hcd: Error de intervalo de servicio perdido para la ranura 1 ep 2 esperada TD DMA ff1e8fe0 [7.042011] xhci_hcd: ADVERTENCIA: evento de desbordamiento de b\u00fafer para la ranura 1 ep 2 en el endpoint [7.042028] xhci_hcd: Se omitieron todos los TD para la ranura 1 ep 2. Borrar el indicador de omisi\u00f3n. [ 7.042134] xhci_hcd: ADVERTENCIA: evento de desbordamiento de b\u00fafer para la ranura 1 ep 2 en el endpoint [ 7.042138] xhci_hcd: ERROR Evento de transferencia TRB DMA ptr no forma parte del TD actual ep_index 2 comp_code 31 [ 7.042144] xhci_hcd: Buscando evento-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.042259] xhci_hcd: ADVERTENCIA: evento de desbordamiento de b\u00fafer para la ranura 1 ep 2 en el endpoint [ 7.042262] xhci_hcd: ERROR Evento de transferencia TRB DMA ptr no forma parte del TD actual ep_index 2 comp_code 31 [ 7.042266] xhci_hcd: Buscando evento-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 En alg\u00fan punto, los eventos de finalizaci\u00f3n cambian de Desbordamiento de b\u00fafer de isocrono a Paquete corto y el HC finalmente encuentra una falta de coincidencia de bits de ciclo en ff1ec000. [ 7.098130] xhci_hcd: ERROR El punto de transferencia TRB DMA del evento no forma parte del TD actual ep_index 2 comp_code 13 [ 7.098132] xhci_hcd: Buscando el punto de transferencia event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098254] xhci_hcd: ERROR El punto de transferencia TRB DMA del evento no forma parte del TD actual ep_index 2 comp_code 13 [ 7.098256] xhci_hcd: Buscando el punto de transferencia event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [7.098379] xhci_hcd: Evento de saturaci\u00f3n en la ranura 1, episodio 2. Es posible que los datos del dispositivo is\u00f3crono se escribieran en b\u00faferes aleatorios de TD pendientes en otros endpoints (de entrada o de salida), otros dispositivos o incluso otros HC en el mismo dominio IOMMU. Por \u00faltimo, se produjo un error de un dispositivo USB diferente en otro HC. \u00bfFue causado por lo anterior? No lo s\u00e9, pero podr\u00eda haber sido. El disco funcionaba sin problemas y gener\u00f3 tr\u00e1fico PCIe que priv\u00f3 al NEC de BW ascendente y activ\u00f3 esos MSE. Los dos HC compart\u00edan una ranura x1 mediante una placa divisora PCIe comercial. [ 7.162604] usb 10-2: restablecer el dispositivo USB SuperSpeed n\u00famero 3 usando xhci_hcd [ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Resultado: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s [ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00 [ 7.179004] Error de E/S, dev sdb, sector 67284480 op 0x0:(READ) ---truncated---"}], "lastModified": "2025-10-28T20:06:50.287", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3305898E-492D-4B2D-A104-239EBBFCF257", "versionEndExcluding": "6.12.22"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9410CA0-CED8-49BE-9DB4-856654736C32", "versionEndExcluding": "6.13.10", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82E37853-46C8-4BB6-9FA4-9838FD34D6A2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}