CVE-2025-38217 (GCVE-0-2025-38217)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: hwmon: (ftsteutates) Fix TOCTOU race in fts_read() In the fts_read() function, when handling hwmon_pwm_auto_channels_temp, the code accesses the shared variable data->fan_source[channel] twice without holding any locks. It is first checked against FTS_FAN_SOURCE_INVALID, and if the check passes, it is read again when used as an argument to the BIT() macro. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition. Another thread executing fts_update_device() can modify the value of data->fan_source[channel] between the check and its use. If the value is changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the BIT() macro will be called with a large shift value (BIT(255)). A bit shift by a value greater than or equal to the type width is undefined behavior and can lead to a crash or incorrect values being returned to userspace. Fix this by reading data->fan_source[channel] into a local variable once, eliminating the race condition. Additionally, add a bounds check to ensure the value is less than BITS_PER_LONG before passing it to the BIT() macro, making the code more robust against undefined behavior. This possible bug was found by an experimental static analysis tool developed by our team.
References
Impacted products
Vendor Product Version
Linux Linux Version: 1c5759d8ce054961b454af69568a41e7e3210ee1
Version: 1c5759d8ce054961b454af69568a41e7e3210ee1
Version: 1c5759d8ce054961b454af69568a41e7e3210ee1
Version: 1c5759d8ce054961b454af69568a41e7e3210ee1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwmon/ftsteutates.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d95d87841d2a575bed3691884e8fedef57d7710d",
              "status": "affected",
              "version": "1c5759d8ce054961b454af69568a41e7e3210ee1",
              "versionType": "git"
            },
            {
              "lessThan": "83e2ba8971ccd8fc08319fc7593288f070d80a76",
              "status": "affected",
              "version": "1c5759d8ce054961b454af69568a41e7e3210ee1",
              "versionType": "git"
            },
            {
              "lessThan": "4d646f627d3b7ed1cacca66e598af8bcd632d465",
              "status": "affected",
              "version": "1c5759d8ce054961b454af69568a41e7e3210ee1",
              "versionType": "git"
            },
            {
              "lessThan": "14c9ede9ca4cd078ad76a6ab9617b81074eb58bf",
              "status": "affected",
              "version": "1c5759d8ce054961b454af69568a41e7e3210ee1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwmon/ftsteutates.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (ftsteutates) Fix TOCTOU race in fts_read()\n\nIn the fts_read() function, when handling hwmon_pwm_auto_channels_temp,\nthe code accesses the shared variable data-\u003efan_source[channel] twice\nwithout holding any locks. It is first checked against\nFTS_FAN_SOURCE_INVALID, and if the check passes, it is read again\nwhen used as an argument to the BIT() macro.\n\nThis creates a Time-of-Check to Time-of-Use (TOCTOU) race condition.\nAnother thread executing fts_update_device() can modify the value of\ndata-\u003efan_source[channel] between the check and its use. If the value\nis changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the\nBIT() macro will be called with a large shift value (BIT(255)).\nA bit shift by a value greater than or equal to the type width is\nundefined behavior and can lead to a crash or incorrect values being\nreturned to userspace.\n\nFix this by reading data-\u003efan_source[channel] into a local variable\nonce, eliminating the race condition. Additionally, add a bounds check\nto ensure the value is less than BITS_PER_LONG before passing it to\nthe BIT() macro, making the code more robust against undefined behavior.\n\nThis possible bug was found by an experimental static analysis tool\ndeveloped by our team."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:26.637Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d95d87841d2a575bed3691884e8fedef57d7710d"
        },
        {
          "url": "https://git.kernel.org/stable/c/83e2ba8971ccd8fc08319fc7593288f070d80a76"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d646f627d3b7ed1cacca66e598af8bcd632d465"
        },
        {
          "url": "https://git.kernel.org/stable/c/14c9ede9ca4cd078ad76a6ab9617b81074eb58bf"
        }
      ],
      "title": "hwmon: (ftsteutates) Fix TOCTOU race in fts_read()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38217",
    "datePublished": "2025-07-04T13:37:34.532Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2025-07-28T04:15:26.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38217\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-04T14:15:30.227\",\"lastModified\":\"2025-07-08T16:18:53.607\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhwmon: (ftsteutates) Fix TOCTOU race in fts_read()\\n\\nIn the fts_read() function, when handling hwmon_pwm_auto_channels_temp,\\nthe code accesses the shared variable data-\u003efan_source[channel] twice\\nwithout holding any locks. It is first checked against\\nFTS_FAN_SOURCE_INVALID, and if the check passes, it is read again\\nwhen used as an argument to the BIT() macro.\\n\\nThis creates a Time-of-Check to Time-of-Use (TOCTOU) race condition.\\nAnother thread executing fts_update_device() can modify the value of\\ndata-\u003efan_source[channel] between the check and its use. If the value\\nis changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the\\nBIT() macro will be called with a large shift value (BIT(255)).\\nA bit shift by a value greater than or equal to the type width is\\nundefined behavior and can lead to a crash or incorrect values being\\nreturned to userspace.\\n\\nFix this by reading data-\u003efan_source[channel] into a local variable\\nonce, eliminating the race condition. Additionally, add a bounds check\\nto ensure the value is less than BITS_PER_LONG before passing it to\\nthe BIT() macro, making the code more robust against undefined behavior.\\n\\nThis possible bug was found by an experimental static analysis tool\\ndeveloped by our team.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hwmon: (ftsteutates) Corregir la ejecuci\u00f3n TOCTOU en fts_read() En la funci\u00f3n fts_read(), al manejar hwmon_pwm_auto_channels_temp, el c\u00f3digo accede a la variable compartida data-\u0026gt;fan_source[channel] dos veces sin mantener ning\u00fan bloqueo. Primero se compara con FTS_FAN_SOURCE_INVALID y, si la comprobaci\u00f3n es correcta, se vuelve a leer cuando se usa como argumento de la macro BIT(). Esto crea una condici\u00f3n de ejecuci\u00f3n de tiempo de comprobaci\u00f3n a tiempo de uso (TOCTOU). Otro hilo que ejecute fts_update_device() puede modificar el valor de data-\u0026gt;fan_source[channel] entre la comprobaci\u00f3n y su uso. Si el valor se cambia a FTS_FAN_SOURCE_INVALID (0xff) durante esta ventana, se llamar\u00e1 a la macro BIT() con un valor de desplazamiento grande (BIT(255)). Un desplazamiento de bits por un valor mayor o igual al ancho del tipo es un comportamiento indefinido que puede provocar un fallo o la devoluci\u00f3n de valores incorrectos al espacio de usuario. Para solucionarlo, lea data-\u0026gt;fan_source[channel] en una variable local una vez, eliminando as\u00ed la condici\u00f3n de ejecuci\u00f3n. Adem\u00e1s, a\u00f1ada una comprobaci\u00f3n de los l\u00edmites para garantizar que el valor sea menor que BITS_PER_LONG antes de pasarlo a la macro BIT(), lo que aumenta la robustez del c\u00f3digo frente a comportamientos indefinidos. Este posible error fue detectado por una herramienta de an\u00e1lisis est\u00e1tico experimental desarrollada por nuestro equipo.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/14c9ede9ca4cd078ad76a6ab9617b81074eb58bf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4d646f627d3b7ed1cacca66e598af8bcd632d465\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/83e2ba8971ccd8fc08319fc7593288f070d80a76\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d95d87841d2a575bed3691884e8fedef57d7710d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.