CVE-2025-21852 Information

Mar 13, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

net: Add rx_skb of kfree_skb to raw_tp_null_args[].

Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL.

Commit c53795d48ee8 ( et: add rx_sk to trace_kfree_skb) added rx_sk to trace_kfree_skb but rx_sk is optional and could be NULL.

Let’s add kfree_skb to raw_tp_null_args[] to let the BPF verifier validate such a prog and prevent the issue.

Now we fail to load such a prog:

libbpf: prog ‘drop’: – BEGIN PROG LOAD LOG – 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop struct sk_buff skb void location @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = (u64 )(r1 +24) func ‘kfree_skb’ arg3 has btf_id 5253 type STRUCT ‘sock’ 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk(\sk: %d %d\n\ sk sk->_sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = (u16 )(r3 +16) R3 invalid mem access ’trusted_ptr_or_null’ processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 – END PROG LOAD LOG –

Note this fix requires commit 838a10bd2ebf (pf: Augment raw_tp arguments with PTR_MAYBE_NULL).

[0]: BUG: kernel NULL pointer dereference address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Call Trace: ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Reference

https://git.kernel.org/stable/c/4dba79c1e7aad6620bbb707b6c4459380fd90860 https://git.kernel.org/stable/c/5da7e15fb5a12e78de974d8908f348e279922ce9 https://git.kernel.org/stable/c/f579afacd0a66971fc8481f30d2d377e230a8342

Share on: