cve/published/2025/CVE-2025-22069.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22069: riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler

 Naresh Kamboju reported a "Bad frame pointer" kernel warning while
 running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the
 same issue with the following command:

 ```
 $ cd /sys/kernel/debug/tracing
 $ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events
 $ echo 1 > events/fprobes/enable
 $ echo 1 > tracing_on
 $ sleep 1
 ```

 And we can get the following kernel warning:

 [  127.692888] ------------[ cut here ]------------
 [  127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000
 [  127.693755]   from func do_nanosleep return to ffffffff800ccb16
 [  127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be
 [  127.699894] Modules linked in:
 [  127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32
 [  127.701453] Hardware name: riscv-virtio,qemu (DT)
 [  127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be
 [  127.702032]  ra : ftrace_return_to_handler+0x1b2/0x1be
 [  127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10
 [  127.702221]  gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000
 [  127.702284]  t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80
 [  127.702346]  s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20
 [  127.702408]  a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000
 [  127.702470]  a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038
 [  127.702530]  s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0
 [  127.702591]  s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068
 [  127.702651]  s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001
 [  127.702710]  s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e
 [  127.702769]  t5 : ffffffff819d89a0 t6 : ff2000000065bb18
 [  127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
 [  127.703292] [<ffffffff8013b5e0>] ftrace_return_to_handler+0x1b2/0x1be
 [  127.703760] [<ffffffff80017bce>] return_to_handler+0x16/0x26
 [  127.704009] [<ffffffff80017bb8>] return_to_handler+0x0/0x26
 [  127.704057] [<ffffffff800d3352>] common_nsleep+0x42/0x54
 [  127.704117] [<ffffffff800d44a2>] __riscv_sys_clock_nanosleep+0xba/0x10a
 [  127.704176] [<ffffffff80901c56>] do_trap_ecall_u+0x188/0x218
 [  127.704295] [<ffffffff8090cc3e>] handle_exception+0x14a/0x156
 [  127.705436] ---[ end trace 0000000000000000 ]---

 The reason is that the stack layout for constructing argument for the
 ftrace_return_to_handler in the return_to_handler does not match the
 __arch_ftrace_regs structure of riscv, leading to unexpected results.

 The Linux kernel CVE team has assigned CVE-2025-22069 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.14 with commit a3ed4157b7d89800a0008de0c9e46a438a5c3745 and fixed in 6.14.2 with commit 78b39c587b8f6c69140177108f9c08a75b1c7c37
 	Issue introduced in 6.14 with commit a3ed4157b7d89800a0008de0c9e46a438a5c3745 and fixed in 6.15 with commit 67a5ba8f742f247bc83e46dd2313c142b1383276

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22069
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/riscv/kernel/mcount.S


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/78b39c587b8f6c69140177108f9c08a75b1c7c37
 	https://git.kernel.org/stable/c/67a5ba8f742f247bc83e46dd2313c142b1383276
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22069: riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler

	Naresh Kamboju reported a "Bad frame pointer" kernel warning while
	running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the
	same issue with the following command:

	```
	$ cd /sys/kernel/debug/tracing
	$ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events
	$ echo 1 > events/fprobes/enable
	$ echo 1 > tracing_on
	$ sleep 1
	```

	And we can get the following kernel warning:

	[ 127.692888] ------------[ cut here ]------------
	[ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000
	[ 127.693755] from func do_nanosleep return to ffffffff800ccb16
	[ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be
	[ 127.699894] Modules linked in:
	[ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32
	[ 127.701453] Hardware name: riscv-virtio,qemu (DT)
	[ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be
	[ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be
	[ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10
	[ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000
	[ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80
	[ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20
	[ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000
	[ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038
	[ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0
	[ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068
	[ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001
	[ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e
	[ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18
	[ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
	[ 127.703292] [<ffffffff8013b5e0>] ftrace_return_to_handler+0x1b2/0x1be
	[ 127.703760] [<ffffffff80017bce>] return_to_handler+0x16/0x26
	[ 127.704009] [<ffffffff80017bb8>] return_to_handler+0x0/0x26
	[ 127.704057] [<ffffffff800d3352>] common_nsleep+0x42/0x54
	[ 127.704117] [<ffffffff800d44a2>] __riscv_sys_clock_nanosleep+0xba/0x10a
	[ 127.704176] [<ffffffff80901c56>] do_trap_ecall_u+0x188/0x218
	[ 127.704295] [<ffffffff8090cc3e>] handle_exception+0x14a/0x156
	[ 127.705436] ---[ end trace 0000000000000000 ]---

	The reason is that the stack layout for constructing argument for the
	ftrace_return_to_handler in the return_to_handler does not match the
	__arch_ftrace_regs structure of riscv, leading to unexpected results.

	The Linux kernel CVE team has assigned CVE-2025-22069 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.14 with commit a3ed4157b7d89800a0008de0c9e46a438a5c3745 and fixed in 6.14.2 with commit 78b39c587b8f6c69140177108f9c08a75b1c7c37
	Issue introduced in 6.14 with commit a3ed4157b7d89800a0008de0c9e46a438a5c3745 and fixed in 6.15 with commit 67a5ba8f742f247bc83e46dd2313c142b1383276

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22069
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/riscv/kernel/mcount.S


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/78b39c587b8f6c69140177108f9c08a75b1c7c37
	https://git.kernel.org/stable/c/67a5ba8f742f247bc83e46dd2313c142b1383276