NuytsTech Security

CVE-2025-38131

by ·

In the Linux kernel, the following vulnerability has been resolved:

coresight: prevent deactivate active config while enabling the config

While enable active config via cscfg_csdev_enable_active_config(),
active config could be deactivated via configfs’ sysfs interface.
This could make UAF issue in below scenario:

CPU0 CPU1
(sysfs enable) load module
cscfg_load_config_sets()
activate config. // sysfs
(sys_active_cnt == 1)

cscfg_csdev_enable_active_config()
lock(csdev->cscfg_csdev_lock)
// here load config activate by CPU1
unlock(csdev->cscfg_csdev_lock)

deactivate config // sysfs
(sys_activec_cnt == 0)
cscfg_unload_config_sets()
unload module

// access to config_desc which freed
// while unloading module.
cscfg_csdev_enable_config

To address this, use cscfg_config_desc’s active_cnt as a reference count
which will be holded when
– activate the config.
– enable the activated config.
and put the module reference when config_active_cnt == 0.

More information : https://git.kernel.org/stable/c/31028812724cef7bd57a51525ce58a32a6d73b22

Tags: