CVE-2025-40042

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix race condition in kprobe initialization causing NULL pointer dereference<br /> <br /> There is a critical race condition in kprobe initialization that can lead to<br /> NULL pointer dereference and kernel crash.<br /> <br /> [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000<br /> ...<br /> [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)<br /> [1135630.269239] pc : kprobe_perf_func+0x30/0x260<br /> [1135630.277643] lr : kprobe_dispatcher+0x44/0x60<br /> [1135630.286041] sp : ffffaeff4977fa40<br /> [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400<br /> [1135630.302837] x27: 0000000000000000 x26: 0000000000000000<br /> [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528<br /> [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50<br /> [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50<br /> [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000<br /> [1135630.349985] x17: 0000000000000000 x16: 0000000000000000<br /> [1135630.359285] x15: 0000000000000000 x14: 0000000000000000<br /> [1135630.368445] x13: 0000000000000000 x12: 0000000000000000<br /> [1135630.377473] x11: 0000000000000000 x10: 0000000000000000<br /> [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000<br /> [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000<br /> [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000<br /> [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006<br /> [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000<br /> [1135630.429410] Call trace:<br /> [1135630.434828] kprobe_perf_func+0x30/0x260<br /> [1135630.441661] kprobe_dispatcher+0x44/0x60<br /> [1135630.448396] aggr_pre_handler+0x70/0xc8<br /> [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0<br /> [1135630.462435] brk_handler+0xbc/0xd8<br /> [1135630.468437] do_debug_exception+0x84/0x138<br /> [1135630.475074] el1_dbg+0x18/0x8c<br /> [1135630.480582] security_file_permission+0x0/0xd0<br /> [1135630.487426] vfs_write+0x70/0x1c0<br /> [1135630.493059] ksys_write+0x5c/0xc8<br /> [1135630.498638] __arm64_sys_write+0x24/0x30<br /> [1135630.504821] el0_svc_common+0x78/0x130<br /> [1135630.510838] el0_svc_handler+0x38/0x78<br /> [1135630.516834] el0_svc+0x8/0x1b0<br /> <br /> kernel/trace/trace_kprobe.c: 1308<br /> 0xffff3df8995039ec : ldr x21, [x24,#120]<br /> include/linux/compiler.h: 294<br /> 0xffff3df8995039f0 : ldr x1, [x21,x0]<br /> <br /> kernel/trace/trace_kprobe.c<br /> 1308: head = this_cpu_ptr(call-&gt;perf_events);<br /> 1309: if (hlist_empty(head))<br /> 1310: return 0;<br /> <br /> crash&gt; struct trace_event_call -o<br /> struct trace_event_call {<br /> ...<br /> [120] struct hlist_head *perf_events; //(call-&gt;perf_event)<br /> ...<br /> }<br /> <br /> crash&gt; struct trace_event_call ffffaf015340e528<br /> struct trace_event_call {<br /> ...<br /> perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0<br /> ...<br /> }<br /> <br /> Race Condition Analysis:<br /> <br /> The race occurs between kprobe activation and perf_events initialization:<br /> <br /> CPU0 CPU1<br /> ==== ====<br /> perf_kprobe_init<br /> perf_trace_event_init<br /> tp_event-&gt;perf_events = list;(1)<br /> tp_event-&gt;class-&gt;reg (2)← KPROBE ACTIVE<br /> Debug exception triggers<br /> ...<br /> kprobe_dispatcher<br /> kprobe_perf_func (tk-&gt;tp.flags &amp; TP_FLAG_PROFILE)<br /> head = this_cpu_ptr(call-&gt;perf_events)(3)<br /> (perf_events is still NULL)<br /> <br /> Problem:<br /> 1. CPU0 executes (1) assigning tp_event-&gt;perf_events = list<br /> 2. CPU0 executes (2) enabling kprobe functionality via class-&gt;reg()<br /> 3. CPU1 triggers and reaches kprobe_dispatcher<br /> 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)<br /> 5. CPU1 calls kprobe_perf_func() and crashes at (3) because<br /> call-&gt;perf_events is still NULL<br /> <br /> CPU1 sees that kprobe functionality is enabled but does not see that<br /> perf_events has been assigned.<br /> <br /> Add pairing read an<br /> ---truncated---