Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71109

CVE-2025-71109: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71109 is a buffer overflow vulnerability in the Linux kernel MIPS ftrace implementation that causes memory corruption when the kernel is located beyond 32 bits. This article covers technical details, affected systems, and patches.

Published:

CVE-2025-71109 Overview

CVE-2025-71109 is a memory corruption vulnerability in the Linux kernel affecting the MIPS architecture's ftrace (function tracer) implementation. The vulnerability occurs when the kernel is located beyond 32-bit address space, causing a buffer overflow in the dynamic function tracer that can lead to corruption of read-mostly kernel variables and system instability.

The issue stems from the UASM_i_LA_mostly macro (and subsequently UASM_i_LA) generating more than 2 instructions when the _mcount function address exceeds 32 bits. The ftrace code incorrectly assumes a maximum of 2 instructions and stores them in a fixed-size int[2] array, resulting in a buffer overflow that corrupts variables in the __read_mostly section.

Critical Impact

This vulnerability causes memory corruption of kernel variables, potentially leading to system hangs during early boot or unpredictable kernel behavior when ftrace is enabled on MIPS systems with memory mapped beyond 32-bit address space.

Affected Products

  • Linux Kernel (MIPS architecture with ftrace enabled)
  • Systems where kernel code is located beyond 32-bit address space
  • MIPS64 systems with dynamic function tracing enabled

Discovery Timeline

  • 2026-01-14 - CVE CVE-2025-71109 published to NVD
  • 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-71109

Vulnerability Analysis

The vulnerability is a classic buffer overflow caused by an incorrect assumption about instruction count in the MIPS ftrace implementation. When the kernel introduced commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), it began using the UASM_i_LA_mostly macro for loading addresses. This macro can generate more than 2 instructions when handling 64-bit addresses.

The ftrace code maintains a fixed-size array of int[2] to store the generated instructions. When _mcount resides at an address beyond 32 bits (which is common on MIPS64 systems), the macro generates additional instructions that overflow this buffer. The overflow corrupts adjacent memory in the __read_mostly section, including critical kernel variables such as __cpu_primary_thread_mask.

The corruption of __cpu_primary_thread_mask was specifically observed to cause system hangs during very early boot stages, making the issue particularly severe as it prevents successful system startup.

Root Cause

The root cause is a mismatch between the expected maximum instruction count and the actual number of instructions generated by address-loading macros on 64-bit MIPS systems. The UASM_i_LA_mostly and UASM_i_LA macros require more than 2 instructions to construct addresses that exceed 32 bits, but the ftrace implementation only allocated space for 2 instructions.

The assumption that 2 instructions would always suffice was valid for 32-bit address spaces but breaks when the kernel is mapped at addresses requiring full 64-bit address construction.

Attack Vector

This vulnerability is triggered locally when ftrace (dynamic function tracing) is enabled on affected MIPS systems. The attack vector involves:

  1. System boots with kernel code located beyond 32-bit address space
  2. ftrace attempts to instrument code outside the kernel code section
  3. The insn_la_mcount function generates address-loading instructions
  4. Buffer overflow occurs when more than 2 instructions are generated
  5. Variables in __read_mostly section become corrupted
  6. System experiences undefined behavior, hangs, or crashes

While this is primarily a local stability issue rather than a remotely exploitable vulnerability, it can cause denial of service conditions and unpredictable system behavior.

Detection Methods for CVE-2025-71109

Indicators of Compromise

  • System hangs during early boot on MIPS64 systems with ftrace enabled
  • Corruption of __cpu_primary_thread_mask or other __read_mostly variables
  • Unexpected kernel panics or crashes related to ftrace instrumentation
  • Abnormal behavior when enabling dynamic function tracing on MIPS architecture

Detection Strategies

  • Monitor for kernel panic messages referencing ftrace or _mcount on MIPS systems
  • Check system logs for memory corruption indicators during boot sequences
  • Review ftrace configuration on MIPS64 systems where kernel is mapped beyond 32-bit addresses
  • Implement kernel crash dump analysis to identify __read_mostly section corruption

Monitoring Recommendations

  • Enable kernel crash dump collection on MIPS64 systems to capture corruption events
  • Monitor boot success rates on systems with dynamic ftrace enabled
  • Track kernel versions deployed on MIPS architecture systems for patch status
  • Configure alerting for unexpected system reboots or hangs during boot

How to Mitigate CVE-2025-71109

Immediate Actions Required

  • Apply the kernel patches from the official Git commits to affected systems
  • Temporarily disable ftrace on vulnerable MIPS64 systems until patches are applied
  • Review boot configurations to identify systems potentially affected by 64-bit address mapping
  • Prioritize patching for production MIPS systems using dynamic function tracing

Patch Information

The Linux kernel maintainers have released patches that prevent the corruption by avoiding instruction generation when the count would exceed 2 instructions. The fix limits the scope of dynamic ftrace when instrumenting code outside the kernel code section, which is preferable to memory corruption.

The following kernel commits contain the fix:

Workarounds

  • Disable dynamic ftrace on affected MIPS64 systems by setting CONFIG_DYNAMIC_FTRACE=n in kernel configuration
  • Configure the kernel to load within 32-bit address space where possible to avoid triggering the overflow
  • Use static ftrace instead of dynamic ftrace as a temporary measure until patches are applied
  • If ftrace functionality is not required, disable it entirely in kernel configuration

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.