CVE-2025-71109 Overview
CVE-2025-71109 is a memory corruption vulnerability in the Linux kernel affecting the MIPS architecture's ftrace (function tracer) implementation. The vulnerability occurs when the kernel is located beyond 32-bit address space, causing a buffer overflow in the dynamic function tracer that can lead to corruption of read-mostly kernel variables and system instability.
The issue stems from the UASM_i_LA_mostly macro (and subsequently UASM_i_LA) generating more than 2 instructions when the _mcount function address exceeds 32 bits. The ftrace code incorrectly assumes a maximum of 2 instructions and stores them in a fixed-size int[2] array, resulting in a buffer overflow that corrupts variables in the __read_mostly section.
Critical Impact
This vulnerability causes memory corruption of kernel variables, potentially leading to system hangs during early boot or unpredictable kernel behavior when ftrace is enabled on MIPS systems with memory mapped beyond 32-bit address space.
Affected Products
- Linux Kernel (MIPS architecture with ftrace enabled)
- Systems where kernel code is located beyond 32-bit address space
- MIPS64 systems with dynamic function tracing enabled
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71109 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71109
Vulnerability Analysis
The vulnerability is a classic buffer overflow caused by an incorrect assumption about instruction count in the MIPS ftrace implementation. When the kernel introduced commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), it began using the UASM_i_LA_mostly macro for loading addresses. This macro can generate more than 2 instructions when handling 64-bit addresses.
The ftrace code maintains a fixed-size array of int[2] to store the generated instructions. When _mcount resides at an address beyond 32 bits (which is common on MIPS64 systems), the macro generates additional instructions that overflow this buffer. The overflow corrupts adjacent memory in the __read_mostly section, including critical kernel variables such as __cpu_primary_thread_mask.
The corruption of __cpu_primary_thread_mask was specifically observed to cause system hangs during very early boot stages, making the issue particularly severe as it prevents successful system startup.
Root Cause
The root cause is a mismatch between the expected maximum instruction count and the actual number of instructions generated by address-loading macros on 64-bit MIPS systems. The UASM_i_LA_mostly and UASM_i_LA macros require more than 2 instructions to construct addresses that exceed 32 bits, but the ftrace implementation only allocated space for 2 instructions.
The assumption that 2 instructions would always suffice was valid for 32-bit address spaces but breaks when the kernel is mapped at addresses requiring full 64-bit address construction.
Attack Vector
This vulnerability is triggered locally when ftrace (dynamic function tracing) is enabled on affected MIPS systems. The attack vector involves:
- System boots with kernel code located beyond 32-bit address space
- ftrace attempts to instrument code outside the kernel code section
- The insn_la_mcount function generates address-loading instructions
- Buffer overflow occurs when more than 2 instructions are generated
- Variables in __read_mostly section become corrupted
- System experiences undefined behavior, hangs, or crashes
While this is primarily a local stability issue rather than a remotely exploitable vulnerability, it can cause denial of service conditions and unpredictable system behavior.
Detection Methods for CVE-2025-71109
Indicators of Compromise
- System hangs during early boot on MIPS64 systems with ftrace enabled
- Corruption of __cpu_primary_thread_mask or other __read_mostly variables
- Unexpected kernel panics or crashes related to ftrace instrumentation
- Abnormal behavior when enabling dynamic function tracing on MIPS architecture
Detection Strategies
- Monitor for kernel panic messages referencing ftrace or _mcount on MIPS systems
- Check system logs for memory corruption indicators during boot sequences
- Review ftrace configuration on MIPS64 systems where kernel is mapped beyond 32-bit addresses
- Implement kernel crash dump analysis to identify __read_mostly section corruption
Monitoring Recommendations
- Enable kernel crash dump collection on MIPS64 systems to capture corruption events
- Monitor boot success rates on systems with dynamic ftrace enabled
- Track kernel versions deployed on MIPS architecture systems for patch status
- Configure alerting for unexpected system reboots or hangs during boot
How to Mitigate CVE-2025-71109
Immediate Actions Required
- Apply the kernel patches from the official Git commits to affected systems
- Temporarily disable ftrace on vulnerable MIPS64 systems until patches are applied
- Review boot configurations to identify systems potentially affected by 64-bit address mapping
- Prioritize patching for production MIPS systems using dynamic function tracing
Patch Information
The Linux kernel maintainers have released patches that prevent the corruption by avoiding instruction generation when the count would exceed 2 instructions. The fix limits the scope of dynamic ftrace when instrumenting code outside the kernel code section, which is preferable to memory corruption.
The following kernel commits contain the fix:
Workarounds
- Disable dynamic ftrace on affected MIPS64 systems by setting CONFIG_DYNAMIC_FTRACE=n in kernel configuration
- Configure the kernel to load within 32-bit address space where possible to avoid triggering the overflow
- Use static ftrace instead of dynamic ftrace as a temporary measure until patches are applied
- If ftrace functionality is not required, disable it entirely in kernel configuration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
