{"id":71730,"date":"2025-10-15T11:45:37","date_gmt":"2025-10-15T08:15:37","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-39993-media-rc-fix-races-with-imon_disconnect\/"},"modified":"2025-10-15T11:45:37","modified_gmt":"2025-10-15T08:15:37","slug":"cve-2025-39993-media-rc-fix-races-with-imon_disconnect","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-39993-media-rc-fix-races-with-imon_disconnect\/","title":{"rendered":"CVE-2025-39993 &#8211; media: rc: fix races with imon_disconnect()"},"content":{"rendered":"<p>CVE ID : CVE-2025-39993<\/p>\n<p>Published :  Oct. 15, 2025, 8:15 a.m. | 24\u00a0minutes ago<\/p>\n<p>Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>media: rc: fix races with imon_disconnect()<\/p>\n<p>Syzbot reports a KASAN issue as below:<br \/>\nBUG: KASAN: use-after-free in __create_pipe include\/linux\/usb.h:1945 [inline]\nBUG: KASAN: use-after-free in send_packet+0xa2d\/0xbc0 drivers\/media\/rc\/imon.c:627<br \/>\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314\/4465<\/p>\n<p>CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0<br \/>\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04\/01\/2014<br \/>\nCall Trace:<\/p>\n<p>__dump_stack lib\/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd\/0x134 lib\/dump_stack.c:106<br \/>\nprint_address_description mm\/kasan\/report.c:317 [inline]\nprint_report.cold+0x2ba\/0x6e9 mm\/kasan\/report.c:433<br \/>\nkasan_report+0xb1\/0x1e0 mm\/kasan\/report.c:495<br \/>\n__create_pipe include\/linux\/usb.h:1945 [inline]\nsend_packet+0xa2d\/0xbc0 drivers\/media\/rc\/imon.c:627<br \/>\nvfd_write+0x2d9\/0x550 drivers\/media\/rc\/imon.c:991<br \/>\nvfs_write+0x2d7\/0xdd0 fs\/read_write.c:576<br \/>\nksys_write+0x127\/0x250 fs\/read_write.c:631<br \/>\ndo_syscall_x64 arch\/x86\/entry\/common.c:50 [inline]\ndo_syscall_64+0x35\/0xb0 arch\/x86\/entry\/common.c:80<br \/>\nentry_SYSCALL_64_after_hwframe+0x63\/0xcd<\/p>\n<p>The iMON driver improperly releases the usb_device reference in<br \/>\nimon_disconnect without coordinating with active users of the<br \/>\ndevice.<\/p>\n<p>Specifically, the fields usbdev_intf0 and usbdev_intf1 are not<br \/>\nprotected by the users counter (ictx-&gt;users). During probe,<br \/>\nimon_init_intf0 or imon_init_intf1 increments the usb_device<br \/>\nreference count depending on the interface. However, during<br \/>\ndisconnect, usb_put_dev is called unconditionally, regardless of<br \/>\nactual usage.<\/p>\n<p>As a result, if vfd_write or other operations are still in<br \/>\nprogress after disconnect, this can lead to a use-after-free of<br \/>\nthe usb_device pointer.<\/p>\n<p>Thread 1 vfd_write                      Thread 2 imon_disconnect<br \/>\n                                        &#8230;<br \/>\n                                        if<br \/>\n                                          usb_put_dev(ictx-&gt;usbdev_intf0)<br \/>\n                                        else<br \/>\n                                          usb_put_dev(ictx-&gt;usbdev_intf1)<br \/>\n&#8230;<br \/>\nwhile<br \/>\n  send_packet<br \/>\n    if<br \/>\n      pipe = usb_sndintpipe(<br \/>\n        ictx-&gt;usbdev_intf0) UAF<br \/>\n    else<br \/>\n      pipe = usb_sndctrlpipe(<br \/>\n        ictx-&gt;usbdev_intf0, 0) UAF<\/p>\n<p>Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by<br \/>\nchecking ictx-&gt;disconnected in all writer paths. Add early return<br \/>\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and<br \/>\ndisplay_open() if the device is no longer present.<\/p>\n<p>Set and read ictx-&gt;disconnected under ictx-&gt;lock to ensure memory<br \/>\nsynchronization. Acquire the lock in imon_disconnect() before setting<br \/>\nthe flag to synchronize with any ongoing operations.<\/p>\n<p>Ensure writers exit early and safely after disconnect before the USB<br \/>\ncore proceeds with cleanup.<\/p>\n<p>Found by Linux Verification Center (linuxtesting.org) with Syzkaller.<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-39993 Published : Oct. 15, 2025, 8:15 a.m. | 24\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include\/linux\/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d\/0xbc0 drivers\/media\/rc\/imon.c:627 Read of size &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-71730","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=71730"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71730\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=71730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=71730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=71730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}