VYPR
Get started
← All advisories
High severity7.8NVD Advisory· Published Apr 16, 2025· Updated Apr 6, 2026

CVE-2025-22069

CVE-2025-22069

Description

In the Linux kernel, the following vulnerability has been resolved:

riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler

Naresh Kamboju reported a "Bad frame pointer" kernel warning while running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the same issue with the following command:

$ cd /sys/kernel/debug/tracing
$ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events
$ echo 1 > events/fprobes/enable
$ echo 1 > tracing_on
$ sleep 1

And we can get the following kernel warning:

[ 127.692888] ------------[ cut here ]------------ [ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000 [ 127.693755] from func do_nanosleep return to ffffffff800ccb16 [ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be [ 127.699894] Modules linked in: [ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32 [ 127.701453] Hardware name: riscv-virtio,qemu (DT) [ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be [ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be [ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10 [ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000 [ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80 [ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20 [ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000 [ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038 [ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0 [ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068 [ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001 [ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e [ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18 [ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003 [ 127.703292] [<ffffffff8013b5e0>] ftrace_return_to_handler+0x1b2/0x1be [ 127.703760] [<ffffffff80017bce>] return_to_handler+0x16/0x26 [ 127.704009] [<ffffffff80017bb8>] return_to_handler+0x0/0x26 [ 127.704057] [<ffffffff800d3352>] common_nsleep+0x42/0x54 [ 127.704117] [<ffffffff800d44a2>] __riscv_sys_clock_nanosleep+0xba/0x10a [ 127.704176] [<ffffffff80901c56>] do_trap_ecall_u+0x188/0x218 [ 127.704295] [<ffffffff8090cc3e>] handle_exception+0x14a/0x156 [ 127.705436] ---[ end trace 0000000000000000 ]---

The reason is that the stack layout for constructing argument for the ftrace_return_to_handler in the return_to_handler does not match the __arch_ftrace_regs structure of riscv, leading to unexpected results.

Affected products

1
  • Linux/Kernel
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
    Range: >=6.14,<6.14.2

Patches

2
78b39c587b8f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
67a5ba8f742f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv

Vulnerability mechanics

Root cause

"The stack layout for constructing arguments for ftrace_return_to_handler does not match the __arch_ftrace_regs structure on riscv."

Attack vector

An attacker with local privileges can trigger this vulnerability by using the `ftrace` subsystem to probe function return values. Specifically, by enabling fprobe events and setting a probe on `do_nanosleep%return`, the attacker can cause a "Bad frame pointer" kernel warning. This warning indicates a corruption in the stack layout, leading to unintended results and potentially a system crash. [CWE-668]

Affected code

The issue lies in the stack layout used when constructing arguments for `ftrace_return_to_handler` within the `return_to_handler` function on the riscv architecture. This incorrect layout does not align with the expected `__arch_ftrace_regs` structure.

What the fix does

The patch corrects the stack layout for arguments passed to `ftrace_return_to_handler`. By ensuring the stack layout precisely matches the `__arch_ftrace_regs` structure for the riscv architecture, the unexpected results and the "Bad frame pointer" warning are resolved. This aligns the data structures used by ftrace with the expected register layout, preventing corruption.

Preconditions

  • authThe attacker must have local administrative privileges to use the ftrace subsystem.
  • inputThe attacker needs to be able to interact with the kernel's debugfs, specifically the tracing directory.

Generated by google/gemini-2.5-flash-lite on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

News mentions

0

No linked articles in our index yet.