CVE-2025-39683

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Limit access to parser-&gt;buffer when trace_get_user failed<br /> <br /> When the length of the string written to set_ftrace_filter exceeds<br /> FTRACE_BUFF_MAX, the following KASAN alarm will be triggered:<br /> <br /> BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0<br /> Read of size 1 at addr ffff0000d00bd5ba by task ash/165<br /> <br /> CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> show_stack+0x34/0x50 (C)<br /> dump_stack_lvl+0xa0/0x158<br /> print_address_description.constprop.0+0x88/0x398<br /> print_report+0xb0/0x280<br /> kasan_report+0xa4/0xf0<br /> __asan_report_load1_noabort+0x20/0x30<br /> strsep+0x18c/0x1b0<br /> ftrace_process_regex.isra.0+0x100/0x2d8<br /> ftrace_regex_release+0x484/0x618<br /> __fput+0x364/0xa58<br /> ____fput+0x28/0x40<br /> task_work_run+0x154/0x278<br /> do_notify_resume+0x1f0/0x220<br /> el0_svc+0xec/0xf0<br /> el0t_64_sync_handler+0xa0/0xe8<br /> el0t_64_sync+0x1ac/0x1b0<br /> <br /> The reason is that trace_get_user will fail when processing a string<br /> longer than FTRACE_BUFF_MAX, but not set the end of parser-&gt;buffer to 0.<br /> Then an OOB access will be triggered in ftrace_regex_release-&gt;<br /> ftrace_process_regex-&gt;strsep-&gt;strpbrk. We can solve this problem by<br /> limiting access to parser-&gt;buffer when trace_get_user failed.