CVE-2025-38346

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ftrace: Fix UAF when lookup kallsym after ftrace disabled<br /> <br /> The following issue happens with a buggy module:<br /> <br /> BUG: unable to handle page fault for address: ffffffffc05d0218<br /> PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0<br /> Oops: Oops: 0000 [#1] SMP KASAN PTI<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> RIP: 0010:sized_strscpy+0x81/0x2f0<br /> RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000<br /> RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d<br /> RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68<br /> R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038<br /> R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff<br /> FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ftrace_mod_get_kallsym+0x1ac/0x590<br /> update_iter_mod+0x239/0x5b0<br /> s_next+0x5b/0xa0<br /> seq_read_iter+0x8c9/0x1070<br /> seq_read+0x249/0x3b0<br /> proc_reg_read+0x1b0/0x280<br /> vfs_read+0x17f/0x920<br /> ksys_read+0xf3/0x1c0<br /> do_syscall_64+0x5f/0x2e0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The above issue may happen as follows:<br /> (1) Add kprobe tracepoint;<br /> (2) insmod test.ko;<br /> (3) Module triggers ftrace disabled;<br /> (4) rmmod test.ko;<br /> (5) cat /proc/kallsyms; --&gt; Will trigger UAF as test.ko already removed;<br /> ftrace_mod_get_kallsym()<br /> ...<br /> strscpy(module_name, mod_map-&gt;mod-&gt;name, MODULE_NAME_LEN);<br /> ...<br /> <br /> The problem is when a module triggers an issue with ftrace and<br /> sets ftrace_disable. The ftrace_disable is set when an anomaly is<br /> discovered and to prevent any more damage, ftrace stops all text<br /> modification. The issue that happened was that the ftrace_disable stops<br /> more than just the text modification.<br /> <br /> When a module is loaded, its init functions can also be traced. Because<br /> kallsyms deletes the init functions after a module has loaded, ftrace<br /> saves them when the module is loaded and function tracing is enabled. This<br /> allows the output of the function trace to show the init function names<br /> instead of just their raw memory addresses.<br /> <br /> When a module is removed, ftrace_release_mod() is called, and if<br /> ftrace_disable is set, it just returns without doing anything more. The<br /> problem here is that it leaves the mod_list still around and if kallsyms<br /> is called, it will call into this code and access the module memory that<br /> has already been freed as it will return:<br /> <br /> strscpy(module_name, mod_map-&gt;mod-&gt;name, MODULE_NAME_LEN);<br /> <br /> Where the "mod" no longer exists and triggers a UAF bug.