A vulnerability found within the Linux kernel has recently been resolved. We will be discussing the details of this vulnerability, known as CVE-2025-21996, which is related to an uninitialized size issue in the function radeon_vce_cs_parse(), which is part of the drm/radeon subsystem.

Here is a snippet of the patch which addresses the issue

diff --git a/drivers/gpu/drm/radeon/radeon_vce.c b/drivers/gpu/drm/radeon/radeon_vce.c
index 37f17e4..2e2076b 100644
--- a/drivers/gpu/drm/radeon/radeon_vce.c
+++ b/drivers/gpu/drm/radeon/radeon_vce.c
@@ -192,7 +192,7 @@ static int radeon_vce_cs_parse(struct radeon_cs_parser *p)
        struct radeon_cs_packet pkt;
        unsigned size;
        int i;
-       u32 tmp;
+       u32 tmp = ;
        int r;

Original Reference

The vulnerability was originally found by Linux Verification Center (linuxtesting.org) with the use of a static analysis tool called SVACE. The fix has been cherry-picked from commit 2d52de55f9ee7aaeee09ac443f77855989c6b68.

Exploit Details

This vulnerability resides in the radeon_vce_cs_parse() function, which is responsible for processing command streams submitted by userspace applications via ioctl() system calls.

The issue occurs when a specially crafted command stream is passed to this function, specifically on the condition where the first command is an encode operation (case x03000001). In such a scenario, the function would try to call radeon_vce_cs_reloc() with a 'size' argument that has not been properly initialized, hence pointing to the 'tmp' variable before it was assigned any value.

The resolution involves initializing 'tmp' with a value of . Consequently, radeon_vce_cs_reloc() will catch an early error in cases with improperly crafted command streams.

Conclusion

The resolution of CVE-2025-21996 ensures the mitigation of uninitialized size issue in the radeon_vce_cs_parse() function of the Linux kernel's drm/radeon subsystem. This fix ultimately leads to more stable and secure operation for systems that utilize the affected feature.

Timeline

Published on: 04/03/2025 08:15:15 UTC
Last modified on: 05/04/2025 07:27:03 UTC