In the Linux kernel, the following vulnerability has been resolved:
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
In the interrupt handler rain_interrupt(), the buffer full check on
rain->buf_len is performed before acquiring rain->buf_lock. This
creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as
rain->buf_len is concurrently accessed and modified in the work
handler rain_irq_work_handler() under the same lock.
Multiple interrupt invocations can race, with each reading buf_len
before it becomes full and then proceeding. This can lead to both
interrupts attempting to write to the buffer, incrementing buf_len
beyond its capacity (DATA_SIZE) and causing a buffer overflow.
Fix this bug by moving the spin_lock() to before the buffer full
check. This ensures that the check and the subsequent buffer modification
are performed atomically, preventing the race condition. An corresponding
spin_unlock() is added to the overflow path to correctly release the
lock.
This possible bug was found by an experimental static analysis tool
developed by our team.
| Score | Percentile |
|---|---|
| 0.01% | 2.48% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.7 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-pf4v-7q2j-5rw9 ↗ |
| CVE | CVE-2025-39713 ↗ |
| CWE id | Name |
|---|---|
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition |