lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025070424-CVE-2025-38217-d1ab@gregkh>
Date: Fri,  4 Jul 2025 15:37:46 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38217: hwmon: (ftsteutates) Fix TOCTOU race in fts_read()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (ftsteutates) Fix TOCTOU race in fts_read()

In the fts_read() function, when handling hwmon_pwm_auto_channels_temp,
the code accesses the shared variable data->fan_source[channel] twice
without holding any locks. It is first checked against
FTS_FAN_SOURCE_INVALID, and if the check passes, it is read again
when used as an argument to the BIT() macro.

This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition.
Another thread executing fts_update_device() can modify the value of
data->fan_source[channel] between the check and its use. If the value
is changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the
BIT() macro will be called with a large shift value (BIT(255)).
A bit shift by a value greater than or equal to the type width is
undefined behavior and can lead to a crash or incorrect values being
returned to userspace.

Fix this by reading data->fan_source[channel] into a local variable
once, eliminating the race condition. Additionally, add a bounds check
to ensure the value is less than BITS_PER_LONG before passing it to
the BIT() macro, making the code more robust against undefined behavior.

This possible bug was found by an experimental static analysis tool
developed by our team.

The Linux kernel CVE team has assigned CVE-2025-38217 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.3 with commit 1c5759d8ce054961b454af69568a41e7e3210ee1 and fixed in 6.6.95 with commit d95d87841d2a575bed3691884e8fedef57d7710d
	Issue introduced in 6.3 with commit 1c5759d8ce054961b454af69568a41e7e3210ee1 and fixed in 6.12.35 with commit 83e2ba8971ccd8fc08319fc7593288f070d80a76
	Issue introduced in 6.3 with commit 1c5759d8ce054961b454af69568a41e7e3210ee1 and fixed in 6.15.4 with commit 4d646f627d3b7ed1cacca66e598af8bcd632d465
	Issue introduced in 6.3 with commit 1c5759d8ce054961b454af69568a41e7e3210ee1 and fixed in 6.16-rc3 with commit 14c9ede9ca4cd078ad76a6ab9617b81074eb58bf

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38217
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/hwmon/ftsteutates.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/d95d87841d2a575bed3691884e8fedef57d7710d
	https://git.kernel.org/stable/c/83e2ba8971ccd8fc08319fc7593288f070d80a76
	https://git.kernel.org/stable/c/4d646f627d3b7ed1cacca66e598af8bcd632d465
	https://git.kernel.org/stable/c/14c9ede9ca4cd078ad76a6ab9617b81074eb58bf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ