CVE-2025-21650

CVE-2025-21650 is a vulnerability in the Linux kernel's hns3 network driver, specifically in the hclge_fetch_pf_reg function. The issue arises because the TQP BAR space is divided into two segments—TQPs 0-1023 and TQPs 1024-1279 occupy different BAR space addresses—but hclge_fetch_pf_reg fails to account for this segmentation when reading TQP space information. When the number of TQPs exceeds 1024, this leads to out-of-bounds BAR space access, manifesting as a kernel paging fault with an error like "Unable to handle kernel paging request at virtual address ffff800037200000." The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as it is triggered through the ethtool_get_regs interface via standard ioctl calls (e.g., sock_ioctl -> dev_ethtool). The stack trace shows the fault originating from hclge_fetch_pf_reg called by hclge_get_regs and hns3_get_regs. Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) in the unscoped security context (S:U), potentially enabling kernel memory corruption, denial of service via crash, or arbitrary code execution.

Mitigation involves applying the upstream Linux kernel patches referenced in the advisory. The primary fix, in commit 0575baa733fc4219f230aef22d5bc35d922f1e9a, modifies hclge_fetch_pf_reg to directly use tqp.io_base for queue reads, respecting the pre-initialized segmentation. A related commit, 7997ddd46c54408bcba5e37fe18b4d832e45d4d4, addresses similar handling. Security practitioners should update affected kernels, particularly those using HiSilicon hns3 hardware with high TQP counts, and monitor for stable backports.