Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]ftrace: Fix UAF when lookup kallsym after ftrace disabled[EOL][EOL]The following issue happens with a buggy module:[EOL][EOL]BUG: unable to handle page fault for address: ffffffffc05d0218[EOL]PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0[EOL]Oops: Oops: 0000 [#1] SMP KASAN PTI[EOL]Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS[EOL]RIP: 0010:sized_strscpy+0x81/0x2f0[EOL]RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246[EOL]RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000[EOL]RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d[EOL]RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68[EOL]R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038[EOL]R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff[EOL]FS:  00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000[EOL]CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0[EOL]DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[EOL]DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[EOL]Call Trace:[EOL] <TASK>[EOL] ftrace_mod_get_kallsym+0x1ac/0x590[EOL] update_iter_mod+0x239/0x5b0[EOL] s_next+0x5b/0xa0[EOL] seq_read_iter+0x8c9/0x1070[EOL] seq_read+0x249/0x3b0[EOL] proc_reg_read+0x1b0/0x280[EOL] vfs_read+0x17f/0x920[EOL] ksys_read+0xf3/0x1c0[EOL] do_syscall_64+0x5f/0x2e0[EOL] entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL][EOL]The above issue may happen as follows:[EOL](1) Add kprobe tracepoint;[EOL](2) insmod test.ko;[EOL](3)  Module triggers ftrace disabled;[EOL](4) rmmod test.ko;[EOL](5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed;[EOL]ftrace_mod_get_kallsym()[EOL]...[EOL]strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);[EOL]...[EOL][EOL]The problem is when a module triggers an issue with ftrace and[EOL]sets ftrace_disable. The ftrace_disable is set when an anomaly is[EOL]discovered and to prevent any more damage, ftrace stops all text[EOL]modification. The issue that happened was that the ftrace_disable stops[EOL]more than just the text modification.[EOL][EOL]When a module is loaded, its init functions can also be traced. Because[EOL]kallsyms deletes the init functions after a module has loaded, ftrace[EOL]saves them when the module is loaded and function tracing is enabled. This[EOL]allows the output of the function trace to show the init function names[EOL]instead of just their raw memory addresses.[EOL][EOL]When a module is removed, ftrace_release_mod() is called, and if[EOL]ftrace_disable is set, it just returns without doing anything more. The[EOL]problem here is that it leaves the mod_list still around and if kallsyms[EOL]is called, it will call into this code and access the module memory that[EOL]has already been freed as it will return:[EOL][EOL]  strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);[EOL][EOL]Where the "mod" no longer exists and triggers a UAF bug.

CREATE(Triage):(User=admin) [CVE-2025-38346 (https://nvd.nist.gov/vuln/detail/CVE-2025-38346)