CVE-2025-38346
Publication date:
10/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ftrace: Fix UAF when lookup kallsym after ftrace disabled<br />
<br />
The following issue happens with a buggy module:<br />
<br />
BUG: unable to handle page fault for address: ffffffffc05d0218<br />
PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0<br />
Oops: Oops: 0000 [#1] SMP KASAN PTI<br />
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br />
RIP: 0010:sized_strscpy+0x81/0x2f0<br />
RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246<br />
RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000<br />
RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d<br />
RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68<br />
R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038<br />
R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff<br />
FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
ftrace_mod_get_kallsym+0x1ac/0x590<br />
update_iter_mod+0x239/0x5b0<br />
s_next+0x5b/0xa0<br />
seq_read_iter+0x8c9/0x1070<br />
seq_read+0x249/0x3b0<br />
proc_reg_read+0x1b0/0x280<br />
vfs_read+0x17f/0x920<br />
ksys_read+0xf3/0x1c0<br />
do_syscall_64+0x5f/0x2e0<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
<br />
The above issue may happen as follows:<br />
(1) Add kprobe tracepoint;<br />
(2) insmod test.ko;<br />
(3) Module triggers ftrace disabled;<br />
(4) rmmod test.ko;<br />
(5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed;<br />
ftrace_mod_get_kallsym()<br />
...<br />
strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);<br />
...<br />
<br />
The problem is when a module triggers an issue with ftrace and<br />
sets ftrace_disable. The ftrace_disable is set when an anomaly is<br />
discovered and to prevent any more damage, ftrace stops all text<br />
modification. The issue that happened was that the ftrace_disable stops<br />
more than just the text modification.<br />
<br />
When a module is loaded, its init functions can also be traced. Because<br />
kallsyms deletes the init functions after a module has loaded, ftrace<br />
saves them when the module is loaded and function tracing is enabled. This<br />
allows the output of the function trace to show the init function names<br />
instead of just their raw memory addresses.<br />
<br />
When a module is removed, ftrace_release_mod() is called, and if<br />
ftrace_disable is set, it just returns without doing anything more. The<br />
problem here is that it leaves the mod_list still around and if kallsyms<br />
is called, it will call into this code and access the module memory that<br />
has already been freed as it will return:<br />
<br />
strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);<br />
<br />
Where the "mod" no longer exists and triggers a UAF bug.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025