| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025041658-CVE-2025-22035-b50c@gregkh>
Date: Wed, 16 Apr 2025 16:12:06 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix use-after-free in print_graph_function_flags during tracer switching
Kairui reported a UAF issue in print_graph_function_flags() during
ftrace stress testing [1]. This issue can be reproduced if puting a
'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(),
and executing the following script:
$ echo function_graph > current_tracer
$ cat trace > /dev/null &
$ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point
$ echo timerlat > current_tracer
The root cause lies in the two calls to print_graph_function_flags
within print_trace_line during each s_show():
* One through 'iter->trace->print_line()';
* Another through 'event->funcs->trace()', which is hidden in
print_trace_fmt() before print_trace_line returns.
Tracer switching only updates the former, while the latter continues
to use the print_line function of the old tracer, which in the script
above is print_graph_function_flags.
Moreover, when switching from the 'function_graph' tracer to the
'timerlat' tracer, s_start only calls graph_trace_close of the
'function_graph' tracer to free 'iter->private', but does not set
it to NULL. This provides an opportunity for 'event->funcs->trace()'
to use an invalid 'iter->private'.
To fix this issue, set 'iter->private' to NULL immediately after
freeing it in graph_trace_close(), ensuring that an invalid pointer
is not passed to other tracers. Additionally, clean up the unnecessary
'iter->private = NULL' during each 'cat trace' when using wakeup and
irqsoff tracers.
[1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
The Linux kernel CVE team has assigned CVE-2025-22035 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.4.255 with commit 05319d707732c728eb721ac616a50e7978eb499a and fixed in 5.4.292 with commit 42561fe62c3628ea3bc9623f64f047605e98857f
Issue introduced in 5.10.193 with commit b8205dfed68183dc1470e83863c5ded6d7fa30a9 and fixed in 5.10.236 with commit de7b309139f862a44379ecd96e93c9133c69f813
Issue introduced in 5.15.129 with commit ce6e2b14bc094866d9173db6935da2d752f06d8b and fixed in 5.15.180 with commit 81a85b12132c8ffe98f5ddbdc185481790aeaa1b
Issue introduced in 6.1.50 with commit 2cb0c037c927db4ec928cc927488e52aa359786e and fixed in 6.1.134 with commit a2cce54c1748216535dda02e185d07a084be837e
Issue introduced in 6.5 with commit eecb91b9f98d6427d4af5fdb8f108f52572a39e7 and fixed in 6.6.87 with commit 099ef3385800828b74933a96c117574637c3fb3a
Issue introduced in 6.5 with commit eecb91b9f98d6427d4af5fdb8f108f52572a39e7 and fixed in 6.12.23 with commit c85efe6e13743cac6ba4ccf144cb91f44c86231a
Issue introduced in 6.5 with commit eecb91b9f98d6427d4af5fdb8f108f52572a39e7 and fixed in 6.13.11 with commit f14752d66056d0c7bffe5092130409417d3baa70
Issue introduced in 6.5 with commit eecb91b9f98d6427d4af5fdb8f108f52572a39e7 and fixed in 6.14.2 with commit 70be951bc01e4a0e10d443f3510bb17426f257fb
Issue introduced in 6.5 with commit eecb91b9f98d6427d4af5fdb8f108f52572a39e7 and fixed in 6.15-rc1 with commit 7f81f27b1093e4895e87b74143c59c055c3b1906
Issue introduced in 4.14.324 with commit d6b35c9a8d51032ed9890431da3ae39fe76c1ae3
Issue introduced in 4.19.293 with commit 5d433eda76b66ab271f5924b26ddfec063eeb454
Issue introduced in 6.4.13 with commit 2242640e9bd94e706acf75c60a2ab1d0e150e0fb
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-22035
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
kernel/trace/trace_functions_graph.c
kernel/trace/trace_irqsoff.c
kernel/trace/trace_sched_wakeup.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f
https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813
https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b
https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e
https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a
https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a
https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70
https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb
https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906
Powered by blists - more mailing lists