CVE-2025-71141

// PoC for CVE-2025-71141 - Tilcdc Probe Failure Cleanup Issue // This PoC demonstrates triggering the kernel warning by manipulating // hardware probe deferral scenarios #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> /* * Trigger conditions for CVE-2025-71141: * 1. System has tilcdc DRM driver loaded * 2. Probe deferral occurs during driver initialization * 3. tilcdc_fini() is called on uninitialized resources * * Note: This is a kernel-level vulnerability. Exploitation requires: * - Access to a system with vulnerable tilcdc driver * - Ability to trigger probe deferral conditions * - Typically requires root or specific hardware access */ int main() { int fd; const char *device_paths[] = { "/dev/dri/card0", "/dev/dri/by-path/platform-tilcdc-card", NULL }; printf("CVE-2025-71141 PoC - Tilcdc Cleanup Issue\n"); printf("==========================================\n\n"); // Try to access tilcdc device nodes for (int i = 0; device_paths[i] != NULL; i++) { printf("Attempting to open: %s\n", device_paths[i]); fd = open(device_paths[i], O_RDWR); if (fd >= 0) { printf("[+] Successfully opened %s\n", device_paths[i]); close(fd); } else { printf("[-] Failed to open %s: %s\n", device_paths[i], strerror(errno)); } } printf("\n[*] To trigger vulnerability:\n"); printf(" - Load tilcdc driver with deferred probe dependencies\n"); printf(" - Monitor dmesg for kernel warnings during driver unload\n"); printf(" - Look for 'WARNING: CPU' in drm_atomic_helper_* functions\n"); return 0; } // Kernel module approach (requires kernel development): /* #include <linux/module.h> #include <linux/platform_device.h> static int tilcdc_probe_defer_test(void) { // Simulate probe deferral that triggers the vulnerability struct platform_device *pdev; // Trigger conditions: // 1. tilcdc driver probe starts // 2. Resource dependency fails (returns -EPROBE_DEFER) // 3. Driver cleanup path calls drm_atomic_helper_shutdown() // 4. Kernel warning triggered in drm_atomic_helper_crtc_duplicate_state return 0; } module_init(tilcdc_probe_defer_test); */

{"cve": {"id": "CVE-2025-71141", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:03.910", "lastModified": "2026-03-25T18:02:52.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tilcdc: Fix removal actions in case of failed probe\n\nThe drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers\nshould only be called when the device has been successfully registered.\nCurrently, these functions are called unconditionally in tilcdc_fini(),\nwhich causes warnings during probe deferral scenarios.\n\n[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68\n...\n[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108\n[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8\n[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144\n[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc]\n[ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]\n\nFix this by rewriting the failed probe cleanup path using the standard\ngoto error handling pattern, which ensures that cleanup functions are\nonly called on successfully initialized resources. Additionally, remove\nthe now-unnecessary is_registered flag."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/tilcdc: Corrige las acciones de eliminación en caso de fallo de la sonda\n\nLas funciones auxiliares drm_kms_helper_poll_fini() y drm_atomic_helper_shutdown() solo deben ser llamadas cuando el dispositivo ha sido registrado exitosamente. Actualmente, estas funciones son llamadas incondicionalmente en tilcdc_fini(), lo que causa advertencias durante escenarios de aplazamiento de sonda.\n\n[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68\n...\n[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108\n[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8\n[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144\n[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc]\n[ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]\n\nSoluciona esto reescribiendo la ruta de limpieza de la sonda fallida utilizando el patrón estándar de manejo de errores goto, lo que asegura que las funciones de limpieza solo sean llamadas en recursos inicializados exitosamente. Además, elimina la bandera is_registered ahora innecesaria."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5.12", "versionEndExcluding": "6.6", "matchCriteriaId": "AFD63F94-BD00-4EF2-9873-45E8DED18B9A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "04BAB656-6600-45D8-8B00-B8757CEB8F30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.1", "versionEndExcluding": "6.18.4", "matchCriteriaId": "6362CA7E-7563-4D9A-AC20-C2BCA4FF6F05"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.7:-:*:*:*:*:*:*", "matchCriteriaId": "62B55B1B-7D3E-499B-9C42-E9F1EF05A54A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "C ... (truncated)