| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091614-CVE-2025-39813-295c@gregkh>
Date: Tue, 16 Sep 2025 15:00:19 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39813: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
When calling ftrace_dump_one() concurrently with reading trace_pipe,
a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race
condition.
The issue occurs because:
CPU0 (ftrace_dump) CPU1 (reader)
echo z > /proc/sysrq-trigger
!trace_empty(&iter)
trace_iterator_reset(&iter) <- len = size = 0
cat /sys/kernel/tracing/trace_pipe
trace_find_next_entry_inc(&iter)
__find_next_entry
ring_buffer_empty_cpu <- all empty
return NULL
trace_printk_seq(&iter.seq)
WARN_ON_ONCE(s->seq.len >= s->seq.size)
In the context between trace_empty() and trace_find_next_entry_inc()
during ftrace_dump, the ring buffer data was consumed by other readers.
This caused trace_find_next_entry_inc to return NULL, failing to populate
`iter.seq`. At this point, due to the prior trace_iterator_reset, both
`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,
the WARN_ON_ONCE condition is triggered.
Move the trace_printk_seq() into the if block that checks to make sure the
return value of trace_find_next_entry_inc() is non-NULL in
ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before
subsequent operations.
The Linux kernel CVE team has assigned CVE-2025-39813 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.28 with commit d769041f865330034131525ee6a7f72eb4af2a24 and fixed in 5.4.298 with commit f299353e7ccbcc5c2ed8993c48fbe7609cbe729a
Issue introduced in 2.6.28 with commit d769041f865330034131525ee6a7f72eb4af2a24 and fixed in 5.10.242 with commit 5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85
Issue introduced in 2.6.28 with commit d769041f865330034131525ee6a7f72eb4af2a24 and fixed in 5.15.191 with commit a6f0f8873cc30fd4543b09adf03f7f51d293f0e6
Issue introduced in 2.6.28 with commit d769041f865330034131525ee6a7f72eb4af2a24 and fixed in 6.1.150 with commit e80ff23ba8bdb0f41a1afe2657078e4097d13a9a
Issue introduced in 2.6.28 with commit d769041f865330034131525ee6a7f72eb4af2a24 and fixed in 6.6.104 with commit 28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa
Issue introduced in 2.6.28 with commit d769041f865330034131525ee6a7f72eb4af2a24 and fixed in 6.12.45 with commit ced94e137e6cd5e79c65564841d3b7695d0f5fa3
Issue introduced in 2.6.28 with commit d769041f865330034131525ee6a7f72eb4af2a24 and fixed in 6.16.5 with commit fbd4cf7ee4db65ef36796769fe978e9eba6f0de4
Issue introduced in 2.6.28 with commit d769041f865330034131525ee6a7f72eb4af2a24 and fixed in 6.17-rc3 with commit 4013aef2ced9b756a410f50d12df9ebe6a883e4a
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-39813
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
kernel/trace/trace.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/f299353e7ccbcc5c2ed8993c48fbe7609cbe729a
https://git.kernel.org/stable/c/5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85
https://git.kernel.org/stable/c/a6f0f8873cc30fd4543b09adf03f7f51d293f0e6
https://git.kernel.org/stable/c/e80ff23ba8bdb0f41a1afe2657078e4097d13a9a
https://git.kernel.org/stable/c/28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa
https://git.kernel.org/stable/c/ced94e137e6cd5e79c65564841d3b7695d0f5fa3
https://git.kernel.org/stable/c/fbd4cf7ee4db65ef36796769fe978e9eba6f0de4
https://git.kernel.org/stable/c/4013aef2ced9b756a410f50d12df9ebe6a883e4a
Powered by blists - more mailing lists