Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2025-21999

Description

In the Linux kernel, the following vulnerability has been resolved:proc: fix UAF in proc_get_inode()Fix race between rmmod and /proc/XXX's inode instantiation.The bug is that pde->proc_ops don't belong to /proc, it belongs to amodule, therefore dereferencing it after /proc entry has been registeredis a bug unless use_pde/unuse_pde() pair has been used.use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_opsnever changes so information necessary for inode instantiation can besaved _before_ proc_register() in PDE itself and used later, avoidingpde->proc_ops->... dereference. rmmod lookupsys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAFBUG: unable to handle page fault for address: fffffbfff80a702bPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTICPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: GHardware name: QEMU Standard PC (i440FX + PIIX, 1996)RIP: 0010:proc_get_inode+0x302/0x6e0RSP: 0018:ffff88811c837998 EFLAGS: 00010a06RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e[adobriyan@gmail.com: don't do 2 atomic ops on the common path]

POC

Reference

No PoCs from references.

Github

- https://github.com/fkie-cad/nvd-json-data-feeds

- https://github.com/runwhen-contrib/helm-charts

- https://github.com/w4zu/Debian_security