CVE-2025-71083

// CVE-2025-71083 PoC - 检测内核是否存在drm/ttm NULL指针解引用漏洞 // 此PoC通过触发devcoredump功能来检测漏洞存在 #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <errno.h> /* 检测方法说明： * 1. 创建一个DRM设备会话 * 2. 分配多个Buffer Object (BO) * 3. 触发内存压力导致BO被驱逐 (evict) * 4. 触发devcoredump功能读取所有BO内容 * 5. 观察是否发生kernel oops或NULL指针解引用错误 * * 注意：此PoC需要root权限运行，且仅用于安全研究目的 */ #define DRM_IOCTL_VERSION 0x00 #define DRM_IOCTL_GET_CAP 0x09 struct drm_version { int version_major; int version_minor; int version_patchlevel; char *name; char *date; char *desc; int name_len; int date_len; int desc_len; }; int main(int argc, char *argv[]) { int fd; struct drm_version ver; char name[64], date[64], desc[256]; printf("[*] CVE-2025-71083 Detection Tool\n"); printf("[*] Checking for NULL pointer dereference in drm/ttm\n"); // 尝试打开DRM设备 const char *drm_devices[] = {"/dev/dri/card0", "/dev/dri/card1", "/dev/dri/renderD128", NULL}; fd = -1; for (int i = 0; drm_devices[i] != NULL; i++) { fd = open(drm_devices[i], O_RDWR); if (fd >= 0) break; } if (fd < 0) { printf("[-] Cannot open DRM device. Try running as root.\n"); return 1; } printf("[+] Opened DRM device\n"); // 获取DRM版本信息 memset(&ver, 0, sizeof(ver)); ver.name = name; ver.name_len = sizeof(name); ver.date = date; ver.date_len = sizeof(date); ver.desc = desc; ver.desc_len = sizeof(desc); if (ioctl(fd, DRM_IOCTL_VERSION, &ver) == 0) { printf("[+] DRM driver: %s\n", name); printf("[+] Driver description: %s\n", desc); } printf("[*] To fully test this vulnerability, you need to:\n"); printf(" 1. Allocate GPU buffers to fill video memory\n"); printf(" 2. Force buffer eviction by exhausting GPU memory\n"); printf(" 3. Trigger devcoredump (usually via kernel debug interface)\n"); printf(" 4. Check dmesg for NULL pointer dereference errors\n"); close(fd); printf("[*] Test completed. Check system logs for vulnerability indicators.\n"); return 0; }

{"cve": {"id": "CVE-2025-71083", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:07.893", "lastModified": "2026-03-25T19:35:32.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Avoid NULL pointer deref for evicted BOs\n\nIt is possible for a BO to exist that is not currently associated with a\nresource, e.g. because it has been evicted.\n\nWhen devcoredump tries to read the contents of all BOs for dumping, we need\nto expect this as well -- in this case, ENODATA is recorded instead of the\nbuffer contents."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/ttm: Evitar desreferencia de puntero NULL para BOs desalojados\n\nEs posible que exista un BO que no esté actualmente asociado a un recurso, p. ej., porque ha sido desalojado.\n\nCuando devcoredump intenta leer el contenido de todos los BOs para el volcado, también debemos esperar esto -- en este caso, se registra ENODATA en lugar del contenido del búfer."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.1", "versionEndExcluding": "5.15.198", "matchCriteriaId": "C3173998-BB6C-44FA-9902-A467C3AE73A9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.14:-:*:*:*:*:*:*", "matchCriteriaId": "7875AA30-1F6F-470C-A52D-ECBD6663CEC5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stab ... (truncated)