CVE-2025-21899

UNKNOWN 0.0

tracing: Fix bad hist from corrupting named_triggers list

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Apr 1, 2025
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

067fe038e70f6e64960d26a79c4df5f1413d0f13 < 5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77 067fe038e70f6e64960d26a79c4df5f1413d0f13 < 43b254d46c740bf9dbe65709afa021dd726dfa99 067fe038e70f6e64960d26a79c4df5f1413d0f13 < 435d2964af815aae456db554c62963b4515f19d0 067fe038e70f6e64960d26a79c4df5f1413d0f13 < f1ae50cfb818ce1ac7a674406dfadb7653e2552d 067fe038e70f6e64960d26a79c4df5f1413d0f13 < 6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e

Linux / Linux

4.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77 git.kernel.org: https://git.kernel.org/stable/c/43b254d46c740bf9dbe65709afa021dd726dfa99 git.kernel.org: https://git.kernel.org/stable/c/435d2964af815aae456db554c62963b4515f19d0 git.kernel.org: https://git.kernel.org/stable/c/f1ae50cfb818ce1ac7a674406dfadb7653e2552d git.kernel.org: https://git.kernel.org/stable/c/6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html