Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22069

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/04/2025
Last modified:
26/01/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler<br /> <br /> Naresh Kamboju reported a "Bad frame pointer" kernel warning while<br /> running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the<br /> same issue with the following command:<br /> <br /> ```<br /> $ cd /sys/kernel/debug/tracing<br /> $ echo &amp;#39;f:myprobe do_nanosleep%return args1=$retval&amp;#39; &gt; dynamic_events<br /> $ echo 1 &gt; events/fprobes/enable<br /> $ echo 1 &gt; tracing_on<br /> $ sleep 1<br /> ```<br /> <br /> And we can get the following kernel warning:<br /> <br /> [ 127.692888] ------------[ cut here ]------------<br /> [ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000<br /> [ 127.693755] from func do_nanosleep return to ffffffff800ccb16<br /> [ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be<br /> [ 127.699894] Modules linked in:<br /> [ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32<br /> [ 127.701453] Hardware name: riscv-virtio,qemu (DT)<br /> [ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be<br /> [ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be<br /> [ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10<br /> [ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000<br /> [ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80<br /> [ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20<br /> [ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000<br /> [ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038<br /> [ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0<br /> [ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068<br /> [ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001<br /> [ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e<br /> [ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18<br /> [ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003<br /> [ 127.703292] [] ftrace_return_to_handler+0x1b2/0x1be<br /> [ 127.703760] [] return_to_handler+0x16/0x26<br /> [ 127.704009] [] return_to_handler+0x0/0x26<br /> [ 127.704057] [] common_nsleep+0x42/0x54<br /> [ 127.704117] [] __riscv_sys_clock_nanosleep+0xba/0x10a<br /> [ 127.704176] [] do_trap_ecall_u+0x188/0x218<br /> [ 127.704295] [] handle_exception+0x14a/0x156<br /> [ 127.705436] ---[ end trace 0000000000000000 ]---<br /> <br /> The reason is that the stack layout for constructing argument for the<br /> ftrace_return_to_handler in the return_to_handler does not match the<br /> __arch_ftrace_regs structure of riscv, leading to unexpected results.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools