CVE-2025-38217

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (ftsteutates) Fix TOCTOU race in fts_read()<br /> <br /> In the fts_read() function, when handling hwmon_pwm_auto_channels_temp,<br /> the code accesses the shared variable data-&gt;fan_source[channel] twice<br /> without holding any locks. It is first checked against<br /> FTS_FAN_SOURCE_INVALID, and if the check passes, it is read again<br /> when used as an argument to the BIT() macro.<br /> <br /> This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition.<br /> Another thread executing fts_update_device() can modify the value of<br /> data-&gt;fan_source[channel] between the check and its use. If the value<br /> is changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the<br /> BIT() macro will be called with a large shift value (BIT(255)).<br /> A bit shift by a value greater than or equal to the type width is<br /> undefined behavior and can lead to a crash or incorrect values being<br /> returned to userspace.<br /> <br /> Fix this by reading data-&gt;fan_source[channel] into a local variable<br /> once, eliminating the race condition. Additionally, add a bounds check<br /> to ensure the value is less than BITS_PER_LONG before passing it to<br /> the BIT() macro, making the code more robust against undefined behavior.<br /> <br /> This possible bug was found by an experimental static analysis tool<br /> developed by our team.