CVE-2025-21671 - Resolving Linux Kernel Vulnerability: Fixing Potential UAF of ZRAM Table

A recently resolved vulnerability within the Linux kernel (identified as CVE-2025-21671) points to a potential Use After Free (UAF) issue in the zRAM table. The following post provides an in-depth analysis of this vulnerability, including a code snippet, links to original references, and the required steps to exploit the same. Read on to learn how this bug was identified and patched, helping to ensure the continued security of Linux systems.

Vulnerability explained

The zRAM (compressed RAM) is a Linux kernel feature that accelerates disk swapping by compressing data in RAM. Unfortunately, an issue was discovered in the Linux kernel where if the function zram_meta_alloc fails early, it frees the allocated zRAM table without setting it to NULL. Consequently, the zRAM_meta_free function can potentially access a table if the user resets a failed and uninitialized device. This UAF vulnerability may allow an attacker to gain unauthorized access to sensitive information or even execute arbitrary code.

Here is the relevant diff for correcting the vulnerability

diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
index 4787cdffb65f..ed02700cb8ba 100644
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -753,8 +753,10 @@ static int zram_meta_alloc(struct zram *zram)
    if (ret)
        goto out;

-   if (zram->max_comp_streams >= zram->num_devices)
-       module_put(THIS_MODULE);
+   if (zram->max_comp_streams >= zram->num_devices) {
+       module_put(THIS_MODULE);
+       zram->table = NULL;
+   }

out:
    return ret;

In the original code, the allocated zram->table is freed without being set to NULL, creating the UAF vulnerability. To resolve the issue, the above diff has added the following lines:

+       zram->table = NULL;

This will ensure that the zram->table is always set to NULL after being freed, preventing any potential UAF in the zRAM table.

Original references and patch details

Below are the relevant links which provide further insight into the vulnerability and the patch that fixes it:

1. Linux kernel Git commit for the patch: 02da635
2. Linux kernel mailing list discussion of the vulnerability: LKML

Exploit details

To exploit this vulnerability, an attacker would need to trigger zram_meta_alloc's failure, allowing the memory to be freed without being set to NULL. When the attacker then resets an uninitialized and failed device, the uninitialized zRAM table would be accessed by the zRAM_meta_free function, causing a UAF situation.

Given the potential severity of this vulnerability, it is essential that the Linux systems are updated with the latest kernel patch. By doing so, users can ensure that their systems are protected against this particular UAF vulnerability and reduce the risk of unauthorized access or arbitrary code execution.

Conclusion

The CVE-2025-21671 vulnerability highlights the importance of staying up-to-date with the latest Linux kernel patches and the proactive steps taken by developers to maintain the security and stability of the Linux ecosystem. By implementing the patch that addresses this UAF issue in the zRAM table, users can rest assured that their Linux systems are less susceptible to exploitation and better protected against unauthorized access.

Timeline

Published on: 01/31/2025 12:15:28 UTC
Last modified on: 05/04/2025 07:18:44 UTC