CVE - CVE-2025-22035

CVE-ID
CVE-2025-22035	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a URL:https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a MISC:https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f URL:https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f MISC:https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb URL:https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb MISC:https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906 URL:https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906 MISC:https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b URL:https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b MISC:https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e URL:https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e MISC:https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a URL:https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a MISC:https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813 URL:https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813 MISC:https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70 URL:https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70
Assigning CNA
kernel.org
Date Record Created
20241229	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20241229)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)