CVE-2025-37781 in Linuxinformazioni

Riassunto

di VulDB • 03/07/2026

Based on the stack trace provided, here is an analysis of the issue and potential solutions.

### **Summary** The system crashed (Oops/Panic) while loading a kernel module via `finit_module` syscall (`insmod`). The crash occurred deep in the VFS/sysfs layer during initialization (`do_one_initcall`), specifically when trying to create sysfs entries or security contexts for the newly loaded module.

---

### **Key Observations from Stack Trace** 1. **Trigger**: `__se_sys_finit_module` → `load_module` → `do_init_module` → `do_one_initcall`. This confirms a kernel module is being inserted and failing during its init function. 2. **Crash Location**: The trace shows calls to: - `security_kernfs_init_security` (LSM/SELinux/AppArmor hook) - `__kernfs_new_node`, `kernfs_link_sibling`, `sysfs_add_bin_file_mode_ns` 3. **RIP/Register State**: The crash happened in user-space syscall entry (`entry_SYSCALL_64_after_hwframe`) or just after returning from kernel space, but the actual fault likely occurred inside one of the called functions above (the trace is truncated before showing the exact `Call Trace` line that points to the crashing instruction). However, the presence of `security_kernfs_init_security` suggests an **LSM (Linux Security Module)** issue.

---

### **Most Likely Causes** 1. **SELinux/AppArmor Denial or Bug**: The function `security_kernfs_init_security` is called when creating new sysfs/kernfs nodes. If the LSM policy is misconfigured, corrupted, or if there’s a bug in how the module interacts with security contexts, this can cause an oops. 2. **Module Code Bug**: The module being loaded may be: - Trying to create invalid sysfs entries (e.g., duplicate names, bad pointers). - Using deprecated or incorrect APIs for sysfs creation. 3. **Kernel-Module Version Mismatch**: If the kernel was updated but the module is from an older/newer source tree, ABI mismatches can cause crashes in VFS/sysfs layers.

---

### **Troubleshooting Steps**

#### **1. Identify the Module Being Loaded** Check `dmesg` or `/var/log/messages` for lines just before this crash to see which module was being inserted: ```bash grep -i "insmod\|finit_module" /var/log/kern.log | tail -n 20 # Or check dmesg output around timestamp [272.xxx]
dmesg --time-format iso-precise | grep -A5 -B5 "load_module" ```

#### **2. Check SELinux/AppArmor Logs** If SELinux or AppArmor is enabled, they may have logged a denial before the crash: ```bash # For SELinux ausearch -m avc -ts recent | tail -n 10 sealert -a /var/log/audit/audit.log

# For AppArmor dmesg | grep apparmor journalctl -k | grep apparmor ```

#### **3. Boot with Security Modules Disabled (Test Only)** To confirm if an LSM is causing the crash, boot temporarily without SELinux/AppArmor: - Add `selinux=0` or `apparmor=0` to kernel command line in GRUB. - Reboot and try loading the module again. ⚠️ **Warning**: This reduces security; only use for testing.

#### **4. Update/Rebuild the Module** Ensure the module is compiled against the exact running kernel headers: ```bash # Check kernel version uname -r

# Reinstall/recompile the module with matching headers sudo apt install linux-headers-$(uname -r) # Debian/Ubuntu sudo dnf install kernel-devel-$(uname -r) # RHEL/Fedora make clean && make modules_install ```

#### **5. Check for Known Kernel Bugs** Search your distribution’s bug tracker or Linux kernel mailing lists for: - `security_kernfs_init_security oops` - `sysfs_add_bin_file_mode_ns crash` - Specific kernel version + module name.

---

### **If You Can Provide More Info:** 1. Which **kernel version** are you running? (`uname -r`) 2. Which **module** was being loaded when it crashed? 3. Is this a **custom-built module** or from an official package (e.g., NVIDIA, VirtualBox, DKMS)? 4. Are SELinux

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsabile

Linux

Prenotare

16/04/2025

Divulgazione

01/05/2025

Moderazione

accettato

CPE

pronto

EPSS

0.00170

KEV

no

Attività

molto basso

Fonti

Want to stay up to date on a daily basis?

Enable the mail alert feature now!