一、 漏洞 CVE-2025-71104 基础信息
漏洞信息
# KVM x86 HV定时器空闲硬锁漏洞
N/A
神龙判断
是否为 Web 类漏洞: 未知
判断理由:
N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
来源:美国国家漏洞数据库 NVD
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an expired timer over and over. In extreme scenarios, e.g. if userspace pauses/suspends a VM for an extended duration, this can even cause hard lockups in the host. Currently, the bug only affects Intel CPUs when using the hypervisor timer (HV timer), a.k.a. the VMX preemption timer. Unlike the software timer, a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the HV timer only runs while the guest is active. As a result, if the vCPU does not run for an extended duration, there will be a huge gap between the target expiration and the current time the vCPU resumes running. Because the target expiration is incremented by only one period on each timer expiration, this leads to a series of timer expirations occurring rapidly after the vCPU/VM resumes. More critically, when the vCPU first triggers a periodic HV timer expiration after resuming, advancing the expiration by only one period will result in a target expiration in the past. As a result, the delta may be calculated as a negative value. When the delta is converted into an absolute value (tscdeadline is an unsigned u64), the resulting value can overflow what the HV timer is capable of programming. I.e. the large value will exceed the VMX Preemption Timer's maximum bit width of cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the HV timer to the software timer (hrtimers). After switching to the software timer, periodic timer expiration callbacks may be executed consecutively within a single clock interrupt handler, because hrtimers honors KVM's request for an expiration in the past and immediately re-invokes KVM's callback after reprogramming. And because the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer over and over until the target expiration is advanced to "now" can result in a hard lockup. E.g. the following hard lockup was triggered in the host when running a Windows VM (only relevant because it used the APIC timer in periodic mode) after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 ... RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] ... RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: <IRQ> apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> Moreover, if the suspend duration of the virtual machine is not long enough to trigger a hard lockup in this scenario, since commit 98c25ead5eda ("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM will continue using the software timer until the guest reprograms the APIC timer in some way. Since the periodic timer does not require frequent APIC timer register programming, the guest may continue to use the software timer in ---truncated---
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Linux kernel 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于在周期性HV计时器模式下,未正确处理过期的目标到期时间,可能导致主机硬锁死。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-71104 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
三、漏洞 CVE-2025-71104 的情报信息
标题: Oh noes! -- 🔗来源链接
标签:
神龙速读:- **Error Code**: 4d1dbaddfcc0f385 - **Protection Service**: Anubis from Techaro - **Software Version**: Anubis version 1.22.0
标题: 503 Service Temporarily Unavailable -- 🔗来源链接
标签:
神龙速读:**关键信息:** - **HTTP Status Code:** 503 Service Temporarily Unavailable - **Web Server:** NGINX 这段简短的信息表明,当前服务暂时不可用,可能是由于服务器维护、过载或者其他临时性问题。
标题: Oh noes! -- 🔗来源链接
标签:
神龙速读:``` - **Error Code**: 4d1dbaddfcc0f385 - **Protection System**: Anubis from Techaro - **Version**: Anubis version 1.22.0 - **Access Denied**: Highlights a blocked access attempt Key for vulnerability analysis: - Error code specific to blocked actions. - Anubis version may indicate outdated security measures if not current. ```
标题: 503 Service Temporarily Unavailable -- 🔗来源链接
标签:
神龙速读:- **错误代码**: 503 - **错误消息**: Service Temporarily Unavailable - **Web Server**: nginx ### 关键信息 1. **服务不可用**: 表明当前请求的服务暂时不可用,可能是由于服务器过载、维护或配置问题。 2. **Nginx信息**: 网站使用Nginx作为Web服务器,这可能有助于进一步的分析和排查。 3. **HTTP状态码**: 503用于指示服务端暂时无法处理请求,这可能与服务器负载、资源不可用或维护活动有关。
标题: Oh noes! -- 🔗来源链接
标签:
神龙速读:- **Error Message**: "Access Denied: error code 4d1dbaddfcc0f385." - **Protection Software**: The website is protected by "Anubis" from "Techaro." - **Software Version**: The website is running "Anubis version 1.22.0." - **Mascot Design**: The mascot design is by "CELPHASE." ``` This information suggests that the website is currently denying access, possibly due to a security measure implemented by the Anubis software. It also provides details about the version of the software and the design contributor.
标题: Oh noes! -- 🔗来源链接
标签:
神龙速读:- **Error Message:** Access Denied with error code `4d1dbaddfcc0f385`. - **Protection System:** The website is protected by *Anubis* from *Tehar灼*. - **Software Version:** Running *Anubis version 1.22.0*. - **Additional Information:** The mascot design is by *CELPHASE*.
标题: 503 Service Temporarily Unavailable -- 🔗来源链接
标签:
神龙速读:- 错误代码:503 - 错误描述:Service Temporarily Unavailable - 服务器类型:nginx
- https://nvd.nist.gov/vuln/detail/CVE-2025-71104
四、漏洞 CVE-2025-71104 的评论
匿名用户
2026-01-15 06:08:19Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.