目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2025-21825— Linux kernel 安全漏洞

AI 预测 5.5 利用难度: 困难 EPSS 0.16% · P5

可能的 ATT&CK 技术 1AI

T1055 · Process Injection

影响版本矩阵 8

厂商产品版本范围状态
LinuxLinuxb00628b1c7d595ae5b544e059c27b1f5828314b4< 33e47d9573075342a41783a55c8c67bc71246fc1affected
b00628b1c7d595ae5b544e059c27b1f5828314b4< fbeda3d939ca10063aafa7a77cc0f409d82cda88affected
b00628b1c7d595ae5b544e059c27b1f5828314b4< 58f038e6d209d2dd862fcf5de55407855856794daffected
5.15affected
< 5.15unaffected
6.12.13≤ 6.12.*unaffected
6.13.2≤ 6.13.*unaffected
6.14≤ *unaffected
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2025-21825 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT During the update procedure, when overwrite element in a pre-allocated htab, the freeing of old_element is protected by the bucket lock. The reason why the bucket lock is necessary is that the old_element has already been stashed in htab->extra_elems after alloc_htab_elem() returns. If freeing the old_element after the bucket lock is unlocked, the stashed element may be reused by concurrent update procedure and the freeing of old_element will run concurrently with the reuse of the old_element. However, the invocation of check_and_free_fields() may acquire a spin-lock which violates the lockdep rule because its caller has already held a raw-spin-lock (bucket lock). The following warning will be reported when such race happens: BUG: scheduling while atomic: test_progs/676/0x00000003 3 locks held by test_progs/676: #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830 #1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500 #2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0 Modules linked in: bpf_testmod(O) Preemption disabled at: [<ffffffff817837a3>] htab_map_update_elem+0x293/0x1500 CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11 Tainted: [W]=WARN, [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)... Call Trace: <TASK> dump_stack_lvl+0x57/0x70 dump_stack+0x10/0x20 __schedule_bug+0x120/0x170 __schedule+0x300c/0x4800 schedule_rtlock+0x37/0x60 rtlock_slowlock_locked+0x6d9/0x54c0 rt_spin_lock+0x168/0x230 hrtimer_cancel_wait_running+0xe9/0x1b0 hrtimer_cancel+0x24/0x30 bpf_timer_delete_work+0x1d/0x40 bpf_timer_cancel_and_free+0x5e/0x80 bpf_obj_free_fields+0x262/0x4a0 check_and_free_fields+0x1d0/0x280 htab_map_update_elem+0x7fc/0x1500 bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43 bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e bpf_prog_test_run_syscall+0x322/0x830 __sys_bpf+0x135d/0x3ca0 __x64_sys_bpf+0x75/0xb0 x64_sys_call+0x1b5/0xa10 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... </TASK> It seems feasible to break the reuse and refill of per-cpu extra_elems into two independent parts: reuse the per-cpu extra_elems with bucket lock being held and refill the old_element as per-cpu extra_elems after the bucket lock is unlocked. However, it will make the concurrent overwrite procedures on the same CPU return unexpected -E2BIG error when the map is full. Therefore, the patch fixes the lock problem by breaking the cancelling of bpf_timer into two steps for PREEMPT_RT: 1) use hrtimer_try_to_cancel() and check its return value 2) if the timer is running, use hrtimer_cancel() through a kworker to cancel it again Considering that the current implementation of hrtimer_cancel() will try to acquire a being held softirq_expiry_lock when the current timer is running, these steps above are reasonable. However, it also has downside. When the timer is running, the cancelling of the timer is delayed when releasing the last map uref. The delay is also fixable (e.g., break the cancelling of bpf timer into two parts: one part in locked scope, another one in unlocked scope), it can be revised later if necessary. It is a bit hard to decide the right fix tag. One reason is that the problem depends on PREEMPT_RT which is enabled in v6.12. Considering the softirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced in v5.15, the bpf_timer commit is used in the fixes tag and an extra depends-on tag is added to state the dependency on PREEMPT_RT. Depends-on: v6.12+ with PREEMPT_RT enabled
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Linux kernel 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于在PREEMPT_RT环境中通过kworker取消正在运行的bpf_timer时可能导致调度问题。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux b00628b1c7d595ae5b544e059c27b1f5828314b4 ~ 33e47d9573075342a41783a55c8c67bc71246fc1 -
LinuxLinux 5.15 -

二、漏洞 CVE-2025-21825 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2025-21825 的情报信息

登录查看更多情报信息。

CVE-2025-21825 补丁与修复 (3)

同批安全公告 · Linux · 2025-03-06 · 共 46 条

CVE-2024-58063Linux kernel 安全漏洞
CVE-2024-58060Linux kernel 资源管理错误漏洞
CVE-2024-58058Linux kernel 安全漏洞
CVE-2024-58055Linux kernel 安全漏洞
CVE-2024-58053Linux kernel 安全漏洞
CVE-2024-58054Linux kernel 安全漏洞
CVE-2024-58052Linux kernel 安全漏洞
CVE-2024-58051Linux kernel 安全漏洞
CVE-2024-58056Linux kernel 安全漏洞
CVE-2024-58062Linux kernel 安全漏洞
CVE-2024-58061Linux kernel 安全漏洞
CVE-2024-58064Linux kernel 安全漏洞
CVE-2024-58065Linux kernel 安全漏洞
CVE-2024-58066Linux kernel 安全漏洞
CVE-2024-58067Linux kernel 安全漏洞
CVE-2024-58069Linux kernel 安全漏洞
CVE-2024-58068Linux kernel 安全漏洞
CVE-2024-58070Linux kernel 安全漏洞
CVE-2024-58071Linux kernel 安全漏洞
CVE-2024-58072Linux kernel 安全漏洞

显示前 20 条,共 46 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2025-21825

暂无评论


发表评论