CVE-2025-71143 Overview
CVE-2025-71143 is a vulnerability in the Linux kernel affecting the Samsung Exynos clock output driver (clk-exynos-clkout.c). The issue stems from improper initialization order in the exynos_clkout_probe() function, where the .hws[] array is accessed before the .num member is assigned. This triggers UBSAN (Undefined Behavior Sanitizer) bounds checking warnings because the __counted_by annotation relies on .num being set before any array access occurs.
Critical Impact
Improper array bounds initialization in the Samsung Exynos clock driver can trigger undefined behavior and UBSAN warnings during kernel execution, potentially affecting system stability on Samsung Exynos-based platforms.
Affected Products
- Linux kernel with Samsung Exynos clock output driver (clk-exynos-clkout)
- Systems using the clk_hw_onecell_data structure with __counted_by annotation
- Samsung Exynos-based embedded platforms and devices
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71143 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71143
Vulnerability Analysis
This vulnerability is an Out-of-Bounds Read/Write condition caused by improper initialization ordering within the Linux kernel's Samsung Exynos clock driver. The issue was introduced when commit f316cdff8d67 added the __counted_by annotation to the hws member of struct clk_hw_onecell_data. This annotation informs the UBSAN bounds sanitizer about the expected number of elements in the .hws[] array.
The fundamental problem is that the bounds sanitizer relies on the .num field to determine valid array access ranges. When .hws[] is accessed before .num is initialized, the sanitizer interprets the array as having zero elements, causing every access to be flagged as out-of-bounds—even when the access would otherwise be valid.
Root Cause
The root cause is an initialization order violation in the exynos_clkout_probe() function. The code accesses .hws[0] and subsequent indices before setting the .num member to indicate how many elements the array contains. With the __counted_by annotation in place, this sequence triggers UBSAN bounds checking because the sanitizer sees .num as zero (uninitialized) when the first array access occurs at index 0.
The fix involves moving the .num assignment to occur before any .hws[] array access, ensuring the bounds sanitizer has correct size information before validation occurs.
Attack Vector
While this vulnerability primarily manifests as a kernel warning and potential undefined behavior, the attack vector involves triggering the exynos_clkout_probe() function during device initialization on Samsung Exynos platforms. An attacker with local access to an affected system could potentially exploit this undefined behavior condition, though practical exploitation would require specific kernel configurations and hardware presence.
The vulnerability occurs in the kernel clock subsystem during probe operations, meaning it is triggered during device initialization rather than through direct user interaction.
Detection Methods for CVE-2025-71143
Indicators of Compromise
- UBSAN warning messages in kernel logs containing array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18
- Kernel log entries showing index 0 is out of range for type 'clk_hw *[*]'
- Unexpected behavior or crashes during boot on Samsung Exynos-based systems with UBSAN enabled
Detection Strategies
- Monitor kernel logs (dmesg) for UBSAN warnings related to clk-exynos-clkout.c
- Enable kernel UBSAN bounds checking (CONFIG_UBSAN_BOUNDS) to detect this and similar initialization order issues
- Audit kernel configuration for Samsung Exynos clock driver inclusion (CONFIG_COMMON_CLK_SAMSUNG)
Monitoring Recommendations
- Implement centralized kernel log collection for systems running affected Linux kernel versions
- Configure alerting for UBSAN array bounds violations in production environments
- Monitor system stability on Samsung Exynos platforms during boot and clock subsystem initialization
How to Mitigate CVE-2025-71143
Immediate Actions Required
- Update to a patched Linux kernel version that includes the initialization order fix
- Review kernel configuration to determine if the Samsung Exynos clock driver is enabled
- Monitor affected systems for signs of instability during boot operations
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability by reordering the initialization sequence. The fix moves the .num assignment to occur before the first .hws[] array access in exynos_clkout_probe().
Patches are available through the following kernel commits:
- Kernel commit a317f63255ebc3dac378c79c5bff4f8d0561c290
- Kernel commit cf33f0b7df13685234ccea7be7bfe316b60db4db
- Kernel commit eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0
- Kernel commit fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236
Workarounds
- Disable UBSAN bounds checking (CONFIG_UBSAN_BOUNDS=n) as a temporary workaround, though this reduces security visibility
- If not required, disable the Samsung Exynos clock output driver (CONFIG_COMMON_CLK_EXYNOS_CLKOUT=n) in kernel configuration
- Apply vendor-specific kernel updates for Samsung Exynos-based devices when available
# Check if Samsung Exynos clock driver is enabled in kernel config
grep -i "CONFIG_COMMON_CLK_EXYNOS" /boot/config-$(uname -r)
# Check for UBSAN bounds warnings related to this vulnerability
dmesg | grep -i "clk-exynos-clkout"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
