ghsa-hrmw-f63j-cpmf
Vulnerability from github
Published
2025-10-28 12:30
Modified
2025-10-29 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix race condition in kprobe initialization causing NULL pointer dereference

There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash.

[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0

kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec : ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 : ldr x1, [x21,x0]

kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: return 0;

crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... }

crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... }

Race Condition Analysis:

The race occurs between kprobe activation and perf_events initialization:

CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL)

Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL

CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned.

Add pairing read an ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40042"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-28T12:15:38Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race condition in kprobe initialization causing NULL pointer dereference\n\nThere is a critical race condition in kprobe initialization that can lead to\nNULL pointer dereference and kernel crash.\n\n[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000\n...\n[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)\n[1135630.269239] pc : kprobe_perf_func+0x30/0x260\n[1135630.277643] lr : kprobe_dispatcher+0x44/0x60\n[1135630.286041] sp : ffffaeff4977fa40\n[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400\n[1135630.302837] x27: 0000000000000000 x26: 0000000000000000\n[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528\n[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50\n[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50\n[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000\n[1135630.349985] x17: 0000000000000000 x16: 0000000000000000\n[1135630.359285] x15: 0000000000000000 x14: 0000000000000000\n[1135630.368445] x13: 0000000000000000 x12: 0000000000000000\n[1135630.377473] x11: 0000000000000000 x10: 0000000000000000\n[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000\n[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000\n[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000\n[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006\n[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000\n[1135630.429410] Call trace:\n[1135630.434828]  kprobe_perf_func+0x30/0x260\n[1135630.441661]  kprobe_dispatcher+0x44/0x60\n[1135630.448396]  aggr_pre_handler+0x70/0xc8\n[1135630.454959]  kprobe_breakpoint_handler+0x140/0x1e0\n[1135630.462435]  brk_handler+0xbc/0xd8\n[1135630.468437]  do_debug_exception+0x84/0x138\n[1135630.475074]  el1_dbg+0x18/0x8c\n[1135630.480582]  security_file_permission+0x0/0xd0\n[1135630.487426]  vfs_write+0x70/0x1c0\n[1135630.493059]  ksys_write+0x5c/0xc8\n[1135630.498638]  __arm64_sys_write+0x24/0x30\n[1135630.504821]  el0_svc_common+0x78/0x130\n[1135630.510838]  el0_svc_handler+0x38/0x78\n[1135630.516834]  el0_svc+0x8/0x1b0\n\nkernel/trace/trace_kprobe.c: 1308\n0xffff3df8995039ec \u003ckprobe_perf_func+0x2c\u003e:     ldr     x21, [x24,#120]\ninclude/linux/compiler.h: 294\n0xffff3df8995039f0 \u003ckprobe_perf_func+0x30\u003e:     ldr     x1, [x21,x0]\n\nkernel/trace/trace_kprobe.c\n1308: head = this_cpu_ptr(call-\u003eperf_events);\n1309: if (hlist_empty(head))\n1310: \treturn 0;\n\ncrash\u003e struct trace_event_call -o\nstruct trace_event_call {\n  ...\n  [120] struct hlist_head *perf_events;  //(call-\u003eperf_event)\n  ...\n}\n\ncrash\u003e struct trace_event_call ffffaf015340e528\nstruct trace_event_call {\n  ...\n  perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0\n  ...\n}\n\nRace Condition Analysis:\n\nThe race occurs between kprobe activation and perf_events initialization:\n\n  CPU0                                    CPU1\n  ====                                    ====\n  perf_kprobe_init\n    perf_trace_event_init\n      tp_event-\u003eperf_events = list;(1)\n      tp_event-\u003eclass-\u003ereg (2)\u2190 KPROBE ACTIVE\n                                          Debug exception triggers\n                                          ...\n                                          kprobe_dispatcher\n                                            kprobe_perf_func (tk-\u003etp.flags \u0026 TP_FLAG_PROFILE)\n                                              head = this_cpu_ptr(call-\u003eperf_events)(3)\n                                              (perf_events is still NULL)\n\nProblem:\n1. CPU0 executes (1) assigning tp_event-\u003eperf_events = list\n2. CPU0 executes (2) enabling kprobe functionality via class-\u003ereg()\n3. CPU1 triggers and reaches kprobe_dispatcher\n4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)\n5. CPU1 calls kprobe_perf_func() and crashes at (3) because\n   call-\u003eperf_events is still NULL\n\nCPU1 sees that kprobe functionality is enabled but does not see that\nperf_events has been assigned.\n\nAdd pairing read an\n---truncated---",
  "id": "GHSA-hrmw-f63j-cpmf",
  "modified": "2025-10-29T15:31:53Z",
  "published": "2025-10-28T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40042"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07926ce598a95de6fd874a74fb510e2ebdfd0aae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0fa388ab2c290ef1115ff88ae88e881d0fb2db02"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a301228c0a8aedc3154fb1a274456f487416b96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ebea6561649d30ec7a18fea23d7f76738dae916"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95dd33361061f808d1f68616d69ada639e737cfa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9c4951b691bb8d7a004acd010f45144391f85ea6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6e89ada1ff6b70df73f579071ffa6ade8ae7f98"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.