CVE-2025-40035

Root

Cause

The uinput_ff_upload_compat structure, used for handling force-feedback upload requests from 32-bit userspace on a 64-bit kernel, embeds the struct ff_effect_compat twice. This structure contains internal padding bytes—specifically a hole after struct ff_replay to satisfy alignment for the following union member. The kernel was not zero-initializing the uinput_ff_upload_compat structure before copying it to userspace via copy_to_user(). As a result, uninitialized kernel stack data could be included in the copy, leading to an information leak [1][2][3][4].

Exploitation

To exploit this vulnerability, an attacker would need local access to the system and the ability to interact with the uinput device (e.g., by opening /dev/uinput and issuing the UI_FF_UPLOAD ioctl). No special privileges are required beyond the ability to open the uinput device, which is typically accessible to users in the input group or with appropriate permissions. The attack does not require authentication beyond local user access [1][2][3][4].

Impact

A successful exploit could leak sensitive kernel stack memory to the userspace process. The leaked data might contain pointers, kernel addresses, or other sensitive information that could be used to bypass security mechanisms like KASLR. The vulnerability is classified as an information disclosure issue [1][2][3][4].

Mitigation

The fix is to zero-initialize the uinput_ff_upload_compat structure before filling in the valid fields. This ensures that any padding bytes are cleared and no stale stack data is copied to userspace. The patch has been applied to the Linux kernel stable branches [1][2][3][4]. Users should update their kernels to include the fix.