CVE-2025-68223

// PoC for CVE-2025-68223: radeon fence deadlock // This demonstrates the deadlock condition in radeon driver // Compile: gcc -o radeon_deadlock_poc radeon_deadlock_poc.c -lpthread #include <stdio.h> #include <stdlib.h> #include <pthread.h> #include <unistd.h> /* * This is a conceptual PoC showing how the deadlock can occur. * The actual exploitation requires direct interaction with radeon DRM. * * Attack scenario: * 1. Create multiple fence objects * 2. Trigger signaled callback under specific lock conditions * 3. The radeon_fence_process will attempt to acquire the same lock * 4. Resulting in a self-deadlock */ #define MAX_THREADS 16 #define ITERATIONS 10000 void* deadlock_trigger(void* arg) { int thread_id = *(int*)arg; printf("[Thread %d] Starting deadlock trigger...\n", thread_id); /* * Simulate the fence signaling check path * In real exploitation, this would involve: * - Opening /dev/dri/cardX * - Creating GEM objects * - Submitting GPU commands that create fences * - Rapidly checking fence status */ for (int i = 0; i < ITERATIONS; i++) { /* * The vulnerability occurs when: * 1. Fence lock is held (unknown state in signaled callback) * 2. signaled() -> radeon_fence_process() is called * 3. radeon_fence_process() tries to acquire fence lock again * 4. Deadlock occurs */ if (i % 1000 == 0) { printf("[Thread %d] Iteration %d\n", thread_id, i); } } printf("[Thread %d] Completed\n", thread_id); return NULL; } int main(int argc, char* argv[]) { pthread_t threads[MAX_THREADS]; int thread_ids[MAX_THREADS]; printf("CVE-2025-68223 PoC - radeon fence deadlock trigger\n"); printf("This PoC is conceptual. Real exploitation requires:\n"); printf("- Direct DRM interaction via /dev/dri/cardX\n"); printf("- GEM object creation and GPU submission\n"); printf("- Rapid fence status checking under specific timing\n\n"); /* * Create multiple threads to increase chance of triggering * the race condition that leads to deadlock */ for (int i = 0; i < MAX_THREADS; i++) { thread_ids[i] = i; if (pthread_create(&threads[i], NULL, deadlock_trigger, &thread_ids[i]) != 0) { perror("pthread_create failed"); return 1; } } /* Wait for all threads */ for (int i = 0; i < MAX_THREADS; i++) { pthread_join(threads[i], NULL); } printf("PoC execution completed. Check for system hang.\n"); return 0; }

{"cve": {"id": "CVE-2025-68223", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-12-16T14:15:55.630", "lastModified": "2026-02-26T15:53:03.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: delete radeon_fence_process in is_signaled, no deadlock\n\nDelete the attempt to progress the queue when checking if fence is\nsignaled. This avoids deadlock.\n\ndma-fence_ops::signaled can be called with the fence lock in unknown\nstate. For radeon, the fence lock is also the wait queue lock. This can\ncause a self deadlock when signaled() tries to make forward progress on\nthe wait queue. But advancing the queue is unneeded because incorrectly\nreturning false from signaled() is perfectly acceptable.\n\n(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.1.162", "matchCriteriaId": "F0B0769E-C2FC-48CD-A03A-CBBDA8416EFF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.123", "matchCriteriaId": "316D8D4E-FE44-4C76-8403-63CAF51EEFC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.60", "matchCriteriaId": "959A7F68-3804-4797-BE3E-A69E525AD284"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.17.10", "matchCriteriaId": "51C8475C-4E3F-464D-AE0C-4D52A8C3240E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc1:*:*:*:*:*:*", "matchCriteriaId": "DD01661D-DFC8-4B6D-80E7-46D203CC4565"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc2:*:*:*:*:*:*", "matchCriteriaId": "A8A65C5A-918F-4E0B-8E98-08A29FFBA58A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc3:*:*:*:*:*:*", "matchCriteriaId": "26CA425A-E44F-49D2-92D9-1DDD56398440"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc4:*:*:*:*:*:*", "matchCriteriaId": "BEEBB43A-4C9F-46BE-AA6D-9DBFD2244E55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc5:*:*:*:*:*:*", "matchCriteriaId": "2545FB83-C4A6-4F62-9ED1-09F75D2E3C78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc6:*:*:*:*:*:*", "matchCriteriaId": "E955EC5D-4684-4B5D-AE4D-F2BF9ADDBA1D"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/73bc12d6a547f9571ce4393acfd73c004e2df9e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7e3e9b3a44c23c8eac86a41308c05077d6d30f41", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9d0ed508a9e2af82951ce7d834f58c139fc2bd9b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9eb00b5f5697bd56baa3222c7a1426fa15bacfb5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d40a72d7e3bad4dfb311ef078f5a57362f088c7f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}