CVE-2025-21862: drop_monitor Vulnerability in Linux Kernel Fixed - Incorrect Initialization Order

The Linux kernel recently fixed a vulnerability related to the drop_monitor module. This vulnerability was discovered by InfoTeCS on behalf of the Linux Verification Center (linuxtesting.org) using the Syzkaller fuzzer. The issue stems from an incorrect initialization order in the drop_monitor kernel module, which could potentially lead to a spinlock bad magic bug.

Exploit Details

Syzkaller, a powerful kernel fuzzer, reported the following bug:

(Refer to the code snippet in the content above)

This bug occurs when drop_monitor is built as a kernel module. In this scenario, Syzkaller might send a netlink NET_DM_CMD_START message during the module loading process. As a result, the net_dm_monitor_start() function is called, which uses a spinlock that has not yet been initialized.

To address this issue, the solution is to place resource initialization above the registration of a generic netlink family. This will ensure that the spinlock is correctly initialized before it is used by the net_dm_monitor_start() function.

Original References

- Syzkaller: https://syzkaller.appspot.com/
- Linux Verification Center: https://linuxtesting.org/
- InfoTeCS: https://www.infotecs.biz/
- Linux Kernel Mailing List (LKML): https://lkml.org/

Here is a code snippet showing the fixed initialization order in the drop_monitor kernel module

// Before the fix
static int __init init_net_drop_monitor(void)
{
    int ret;

    ret = genl_register_family_with_ops(&net_drop_monitor_family,
                    net_dm_ctrl_ops,
                    ARRAY_SIZE(net_dm_ctrl_ops));
    if (ret)
        return ret;

    spin_lock_init(&trace_lock);
    spin_lock_init(&skb_trace_lock);

    return ;
}

// After the fix
static int __init init_net_drop_monitor(void)
{
    int ret;

    spin_lock_init(&trace_lock);
    spin_lock_init(&skb_trace_lock);

    ret = genl_register_family_with_ops(&net_drop_monitor_family,
                    net_dm_ctrl_ops,
                    ARRAY_SIZE(net_dm_ctrl_ops));
    if (ret)
        return ret;

    return ;
}

Conclusion

The Linux kernel has resolved the CVE-2025-21862 vulnerability in the drop_monitor module, thanks to the efforts of InfoTeCS and the Linux Verification Center. The fix involves changing the initialization order of resources in the module, ensuring that spinlocks are correctly initialized before use. It is highly recommended to keep your Linux kernel up-to-date with the latest security patches to prevent potential exploits.

Timeline

Published on: 03/12/2025 10:15:19 UTC
Last modified on: 03/24/2025 15:41:33 UTC