CVE-2025-21899

MEDIUM

Linux Kernel 4.17-6.1.129, 6.2-6.6.80, 6.7-6.12.17, 6.13-6.13.5 - Use-After-Free in Hist Trigger Registration

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.

References (6)

Core 6

Scores

CVSS v3 5.5
EPSS 0.0018
EPSS Percentile 7.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (18)
linux/Kernel 4.17.0 - 6.1.130linux
linux/Kernel 6.13.0 - 6.13.6linux
linux/Kernel 6.2.0 - 6.6.81linux
linux/Kernel 6.7.0 - 6.12.18linux
Linux/Linux < 4.17
Linux/Linux 067fe038e70f6e64960d26a79c4df5f1413d0f13 - 435d2964af815aae456db554c62963b4515f19d0
Linux/Linux 067fe038e70f6e64960d26a79c4df5f1413d0f13 - 43b254d46c740bf9dbe65709afa021dd726dfa99
Linux/Linux 067fe038e70f6e64960d26a79c4df5f1413d0f13 - 5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77
Linux/Linux 067fe038e70f6e64960d26a79c4df5f1413d0f13 - 6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e
Linux/Linux 067fe038e70f6e64960d26a79c4df5f1413d0f13 - f1ae50cfb818ce1ac7a674406dfadb7653e2552d
... and 8 more
Published Apr 01, 2025
Tracked Since Feb 18, 2026