The CVE-2025-22065 vulnerability in the Linux kernel arises due to a double invocation of `idpf_remove()` during system reboot when SR-IOV (Single Root I/O Virtualization) is enabled. The issue occurs because the Virtual Function (VF) devices use the same driver as the Physical Function (PF), leading to repeated cleanup calls.
When the system reboots, `idpf_shutdown()` triggers idpf_remove(), which later calls sriov_disable(). Since VFs also rely on the same driver, `idpf_remove()` executes again, but the adapter structure may already be NULL from the first cleanup. This results in a NULL pointer dereference, crashing the kernel. The bug manifests when executing:
echo 1 > /sys/class/net/<netif>/device/sriov_numvfs reboot
The kernel panic trace shows a failure at idpf_remove+0x22, dereferencing 0x0000000000000020. The fix involves replacing `idpf_remove()` in `idpf_shutdown()` with partial cleanup functions (idpf_vc_core_deinit() and idpf_deinit_dflt_mbx()) to avoid redundant SR-IOV disablement.
DailyCVE Form:
Platform: Linux Kernel
Version: Pre-patch versions with IDPF driver
Vulnerability: NULL Pointer Dereference
Severity: Critical
Date: 05/06/2025
What Undercode Say:
Exploitation:
1. Attacker enables SR-IOV on a vulnerable NIC:
echo 1 > /sys/class/net/eth0/device/sriov_numvfs
2. Triggers reboot to exploit race condition:
systemctl reboot --force
Mitigation:
1. Apply kernel patches from upstream.
2. Disable SR-IOV if unused:
echo 0 > /sys/class/net/eth0/device/sriov_numvfs
Debugging:
Check kernel logs for NULL dereference:
dmesg | grep "idpf_remove"
Patch Analysis:
The fix modifies `idpf_shutdown()` to avoid full removal:
void idpf_shutdown(struct pci_dev pdev) {
idpf_vc_core_deinit();
idpf_deinit_dflt_mbx();
}
Impact:
- Privilege Escalation: Possible via kernel crash.
- DoS: Guaranteed system crash on reboot.
Detection:
Scan for vulnerable IDPF driver versions:
modinfo idpf | grep version
Workaround:
Blacklist the `idpf` module temporarily:
echo "blacklist idpf" > /etc/modprobe.d/disable_idpf.conf
References:
- Kernel Git commit: IDPF Fix Patch
- CVE Details: NVD Entry
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
