CVE-2025-39713

Summary

In the Linux kernel, the following vulnerability has been resolved:

media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()

In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock.

Multiple interrupt invocations can race, with each reading buf_len before it becomes full and then proceeding. This can lead to both interrupts attempting to write to the buffer, incrementing buf_len beyond its capacity (DATA_SIZE) and causing a buffer overflow.

Fix this bug by moving the spin_lock() to before the buffer full check. This ensures that the check and the subsequent buffer modification are performed atomically, preventing the race condition. An corresponding spin_unlock() is added to the overflow path to correctly release the lock.

This possible bug was found by an experimental static analysis tool developed by our team.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux0f314f6c2e77beb1a232be21dd6be4e1849ba5ac < 2964dbe631fd21ad7873b1752b895548d3c12496affected
LinuxLinux0f314f6c2e77beb1a232be21dd6be4e1849ba5ac < 6aaef1a75985865d8c6c5b65fb54152060faba48affected
LinuxLinux0f314f6c2e77beb1a232be21dd6be4e1849ba5ac < fbc81e78d75bf28972bc22b1599559557b1a1b83affected
LinuxLinux0f314f6c2e77beb1a232be21dd6be4e1849ba5ac < 3c3e33b7edca7a2d6a96801f287f9faeb684d655affected
LinuxLinux0f314f6c2e77beb1a232be21dd6be4e1849ba5ac < 1c2769dc80255824542ea5a4ff1a07dcdeb1603faffected
LinuxLinux0f314f6c2e77beb1a232be21dd6be4e1849ba5ac < ed905fe7cba03cf22ae0b84cf1b73cd1c070423aaffected
LinuxLinux0f314f6c2e77beb1a232be21dd6be4e1849ba5ac < ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59affected
LinuxLinux0f314f6c2e77beb1a232be21dd6be4e1849ba5ac < 7af160aea26c7dc9e6734d19306128cce156ec40affected
LinuxLinux4.12affected
LinuxLinux0 < 4.12unaffected
LinuxLinux5.4.297 <= 5.4.*unaffected
LinuxLinux5.10.241 <= 5.10.*unaffected
LinuxLinux5.15.190 <= 5.15.*unaffected
LinuxLinux6.1.149 <= 6.1.*unaffected
LinuxLinux6.6.103 <= 6.6.*unaffected
LinuxLinux6.12.44 <= 6.12.*unaffected
LinuxLinux6.16.4 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

Additional References

References