CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching
First published: Wed Apr 16 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| Linux Kernel | >=4.14.324<4.15 | |
| Linux Kernel | >=4.19.293<4.20 | |
| Linux Kernel | >=5.4.255<5.4.292 | |
| Linux Kernel | >=5.10.193<5.10.236 | |
| Linux Kernel | >=5.15.129<5.15.180 | |
| Linux Kernel | >=6.1.50<6.1.134 | |
| Linux Kernel | >=6.4.13<6.6.87 | |
| Linux Kernel | >=6.7<6.12.23 | |
| Linux Kernel | >=6.13<6.13.11 | |
| Linux Kernel | >=6.14<6.14.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f
- https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813
- https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b
- https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e
- https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a
- https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a
- https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70
- https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb
- https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906
Frequently Asked Questions
What is the severity of CVE-2025-22035?
CVE-2025-22035 has a medium severity rating, indicating potential risk but not immediate critical exposure.
How do I fix CVE-2025-22035?
To fix CVE-2025-22035, you should update your Linux kernel to the latest version where this vulnerability has been addressed.
What systems are affected by CVE-2025-22035?
CVE-2025-22035 affects the Linux kernel, particularly those versions that utilize the ftrace functionality for tracing.
What kind of attack does CVE-2025-22035 enable?
CVE-2025-22035 can potentially allow an attacker to exploit a use-after-free condition, leading to system instability or possible arbitrary code execution.
Is there a workaround for CVE-2025-22035?
There is no known workaround for CVE-2025-22035, so updating the kernel is the recommended action.
- agent/references
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/source
- agent/author
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.14.324
- version/linux kernel/4.19.293
- version/linux kernel/5.4.255
- version/linux kernel/5.10.193
- version/linux kernel/5.15.129
- version/linux kernel/6.1.50
- version/linux kernel/6.4.13
- version/linux kernel/6.7
- version/linux kernel/6.13
- version/linux kernel/6.14