CVE-2025-39711
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39711
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39711.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39711
- Downstream
- Related
- Published
- 2025-09-05T17:21:18Z
- Modified
- 2025-10-10T17:00:43.376033Z
- Summary
- media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
media: ivsc: Fix crash at shutdown due to missing meicldevdisable() calls
Both the ACE and CSI driver are missing a meicldevdisable() call in their remove() function.
This causes the meicl client to stay part of the meidevice->filelist list even though its memory is freed by meiclbusdev_release() calling kfree(cldev->cl).
This leads to a use-after-free when meivscremove() runs meistop() which first removes all mei bus devices calling meiaceremove() and meicsiremove() followed by meiclbusdevrelease() and then calls meiclalldisconnect() which walks over meidevice->filelist dereferecing the just freed cldev->cl.
And meivscremove() it self is run at shutdown because of the platformdeviceunregister(tp->pdev) in vsctpshutdown()
When building a kernel with KASAN this leads to the following KASAN report:
[ 106.634504] ================================================================== [ 106.634623] BUG: KASAN: slab-use-after-free in meiclsetdisconnected (drivers/misc/mei/client.c:783) mei [ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1 [ 106.634729] [ 106.634767] Tainted: [E]=UNSIGNEDMODULE [ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025 [ 106.634773] Call Trace: [ 106.634777] <TASK> ... [ 106.634871] kasanreport (mm/kasan/report.c:221 mm/kasan/report.c:636) [ 106.634901] meiclsetdisconnected (drivers/misc/mei/client.c:783) mei [ 106.634921] meiclalldisconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei [ 106.634941] meireset (drivers/misc/mei/init.c:163) mei ... [ 106.635042] meistop (drivers/misc/mei/init.c:348) mei [ 106.635062] meivscremove (drivers/misc/mei/meidev.h:784 drivers/misc/mei/platform-vsc.c:393) meivsc [ 106.635066] platformremove (drivers/base/platform.c:1424)
Add the missing meicldevdisable() calls so that the meicl gets removed from meidevice->file_list before it is freed to fix this.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0c92c49fc688cfadacc47ae99b06a31237702e9e
- https://git.kernel.org/stable/c/1dfe73394dcfc9b049c8da0dc181c45f156a5f49
- https://git.kernel.org/stable/c/3c0e4cc4f55f9a1db2a761e4ffb27c9594245888
- https://git.kernel.org/stable/c/639f5b33fcd7c59157f29b09f6f2866eacf9279c
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced29006e196a5661d9afc8152fa2bf8a5347ac17b4Fixed3c0e4cc4f55f9a1db2a761e4ffb27c9594245888
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced29006e196a5661d9afc8152fa2bf8a5347ac17b4Fixed639f5b33fcd7c59157f29b09f6f2866eacf9279c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced29006e196a5661d9afc8152fa2bf8a5347ac17b4Fixed1dfe73394dcfc9b049c8da0dc181c45f156a5f49
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced29006e196a5661d9afc8152fa2bf8a5347ac17b4Fixed0c92c49fc688cfadacc47ae99b06a31237702e9e