CVE-2025-22035 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/

Reserved 2024-12-29 | Published 2025-04-16 | Updated 2025-05-26 | Assigner Linux

Product status

Default status

unaffected

05319d707732c728eb721ac616a50e7978eb499a before 42561fe62c3628ea3bc9623f64f047605e98857f

affected

b8205dfed68183dc1470e83863c5ded6d7fa30a9 before de7b309139f862a44379ecd96e93c9133c69f813

affected

ce6e2b14bc094866d9173db6935da2d752f06d8b before 81a85b12132c8ffe98f5ddbdc185481790aeaa1b

affected

2cb0c037c927db4ec928cc927488e52aa359786e before a2cce54c1748216535dda02e185d07a084be837e

affected

eecb91b9f98d6427d4af5fdb8f108f52572a39e7 before 099ef3385800828b74933a96c117574637c3fb3a

affected

eecb91b9f98d6427d4af5fdb8f108f52572a39e7 before c85efe6e13743cac6ba4ccf144cb91f44c86231a

affected

eecb91b9f98d6427d4af5fdb8f108f52572a39e7 before f14752d66056d0c7bffe5092130409417d3baa70

affected

eecb91b9f98d6427d4af5fdb8f108f52572a39e7 before 70be951bc01e4a0e10d443f3510bb17426f257fb

affected

eecb91b9f98d6427d4af5fdb8f108f52572a39e7 before 7f81f27b1093e4895e87b74143c59c055c3b1906

affected

d6b35c9a8d51032ed9890431da3ae39fe76c1ae3

affected

5d433eda76b66ab271f5924b26ddfec063eeb454

affected

2242640e9bd94e706acf75c60a2ab1d0e150e0fb

affected

Default status

affected

6.5

affected

Any version before 6.5

unaffected

5.4.292

unaffected

5.10.236

unaffected

5.15.180

unaffected

6.1.134

unaffected

6.6.87

unaffected

6.12.23

unaffected

6.13.11

unaffected

6.14.2

unaffected

6.15

unaffected

References

git.kernel.org/...c/42561fe62c3628ea3bc9623f64f047605e98857f

git.kernel.org/...c/de7b309139f862a44379ecd96e93c9133c69f813

git.kernel.org/...c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b

git.kernel.org/...c/a2cce54c1748216535dda02e185d07a084be837e

git.kernel.org/...c/099ef3385800828b74933a96c117574637c3fb3a

git.kernel.org/...c/c85efe6e13743cac6ba4ccf144cb91f44c86231a

git.kernel.org/...c/f14752d66056d0c7bffe5092130409417d3baa70

git.kernel.org/...c/70be951bc01e4a0e10d443f3510bb17426f257fb

git.kernel.org/...c/7f81f27b1093e4895e87b74143c59c055c3b1906

cve.org (CVE-2025-22035)

nvd.nist.gov (CVE-2025-22035)

Download JSON