CVE-2025-38131
coresight: prevent deactivate active config while enabling the config
In the Linux kernel, the following vulnerability has been resolved:
coresight: prevent deactivate active config while enabling the config
While enable active config via cscfg_csdev_enable_active_config(),
active config could be deactivated via configfs' sysfs interface.
This could make UAF issue in below scenario:
CPU0 CPU1
(sysfs enable) load module
cscfg_load_config_sets()
activate config. // sysfs
(sys_active_cnt == 1)
...
cscfg_csdev_enable_active_config()
lock(csdev->cscfg_csdev_lock)
// here load config activate by CPU1
unlock(csdev->cscfg_csdev_lock)
deactivate config // sysfs
(sys_activec_cnt == 0)
cscfg_unload_config_sets()
unload module
// access to config_desc which freed
// while unloading module.
cscfg_csdev_enable_config
To address this, use cscfg_config_desc's active_cnt as a reference count
which will be holded when
- activate the config.
- enable the activated config.
and put the module reference when config_active_cnt == 0.
Produtos afetados
Linux · LinuxQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://git.kernel.org/stable/c/31028812724cef7bd57a51525ce58a32a6d73b22https://git.kernel.org/stable/c/408c97c4a5e0b634dcd15bf8b8808b382e888164https://git.kernel.org/stable/c/b3b4efa2e623aecaebd7c9b9e4171f5c659e9724https://git.kernel.org/stable/c/dfe8224c9c7a43d356eb9f74b06868aa05f90223https://git.kernel.org/stable/c/ed42ee1ed05ff2f4c36938379057413a40c56680https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html