CVE-2025-21899 Affecting kernel-uki-virt-addons package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-KERNELUKIVIRTADDONS-9602625
- published2 Apr 2025
- disclosed1 Apr 2025
Introduced: 1 Apr 2025
NewCVE-2025-21899 (opens in a new tab)How to fix?
There is no fixed version for Centos:9 kernel-uki-virt-addons.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-uki-virt-addons package and not the kernel-uki-virt-addons package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix bad hist from corrupting named_triggers list
The following commands causes a crash:
~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger
Because the following occurs:
event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() {
data = event_trigger_alloc(..);event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } }
ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg;
[..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL
test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } }[..] kfree(data); &lt;&lt;&lt;-- frees item but it is still on list
The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash.
Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list.
A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.
References
- https://access.redhat.com/security/cve/CVE-2025-21899
- https://git.kernel.org/stable/c/435d2964af815aae456db554c62963b4515f19d0
- https://git.kernel.org/stable/c/43b254d46c740bf9dbe65709afa021dd726dfa99
- https://git.kernel.org/stable/c/5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77
- https://git.kernel.org/stable/c/6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e
- https://git.kernel.org/stable/c/f1ae50cfb818ce1ac7a674406dfadb7653e2552d