CVE-2025-21999

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> proc: fix UAF in proc_get_inode()<br /> <br /> Fix race between rmmod and /proc/XXX&amp;#39;s inode instantiation.<br /> <br /> The bug is that pde-&gt;proc_ops don&amp;#39;t belong to /proc, it belongs to a<br /> module, therefore dereferencing it after /proc entry has been registered<br /> is a bug unless use_pde/unuse_pde() pair has been used.<br /> <br /> use_pde/unuse_pde can be avoided (2 atomic ops!) because pde-&gt;proc_ops<br /> never changes so information necessary for inode instantiation can be<br /> saved _before_ proc_register() in PDE itself and used later, avoiding<br /> pde-&gt;proc_ops-&gt;... dereference.<br /> <br /> rmmod lookup<br /> sys_delete_module<br /> proc_lookup_de<br /> pde_get(de);<br /> proc_get_inode(dir-&gt;i_sb, de);<br /> mod-&gt;exit()<br /> proc_remove<br /> remove_proc_subtree<br /> proc_entry_rundown(de);<br /> free_module(mod);<br /> <br /> if (S_ISREG(inode-&gt;i_mode))<br /> if (de-&gt;proc_ops-&gt;proc_read_iter)<br /> --&gt; As module is already freed, will trigger UAF<br /> <br /> BUG: unable to handle page fault for address: fffffbfff80a702b<br /> PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> RIP: 0010:proc_get_inode+0x302/0x6e0<br /> RSP: 0018:ffff88811c837998 EFLAGS: 00010a06<br /> RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007<br /> RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158<br /> RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20<br /> R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0<br /> R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001<br /> FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> proc_lookup_de+0x11f/0x2e0<br /> __lookup_slow+0x188/0x350<br /> walk_component+0x2ab/0x4f0<br /> path_lookupat+0x120/0x660<br /> filename_lookup+0x1ce/0x560<br /> vfs_statx+0xac/0x150<br /> __do_sys_newstat+0x96/0x110<br /> do_syscall_64+0x5f/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> [adobriyan@gmail.com: don&amp;#39;t do 2 atomic ops on the common path]