CVE-2025-39790 (GCVE-0-2025-39790)
Vulnerability from cvelistv5
Published
2025-09-11 16:56
Modified
2025-09-11 16:56
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when processing completion for chained transactions, but can lead to nasty results if the device sends an event for a single-element transaction with a read pointer that is multiple elements ahead of the host's read pointer. For instance, if the host accesses an event ring while the device is updating it, the pointer inside of the event might still point to an old TRE. If the host uses the channel's xfer_cb() to directly free the buffer pointed to by the TRE, the buffer will be double-freed. This behavior was observed on an ep that used upstream EP stack without 'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer is written")'. Where the device updated the events ring pointer before updating the event contents, so it left a window where the host was able to access the stale data the event pointed to, before the device had the chance to update them. The usual pattern was that the host received an event pointing to a TRE that is not immediately after the last processed one, so it got treated as if it was a chained transaction, processing all of the TREs in between the two read pointers. This commit aims to harden the host by ensuring transactions where the event points to a TRE that isn't local_rp + 1 are chained. [mani: added stable tag and reworded commit message]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530
Impacted products
Vendor Product Version
Linux Linux Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8
Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8
Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8
Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8
Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8
Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8
 Create a notification for this product.
   Linux Linux Version: 5.7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/host/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7b3f0e3b60c27f4fcb69927d84987e5fd6240530",
              "status": "affected",
              "version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
              "versionType": "git"
            },
            {
              "lessThan": "4079c6c59705b96285219b9efc63cab870d757b7",
              "status": "affected",
              "version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
              "versionType": "git"
            },
            {
              "lessThan": "5e17429679a8545afe438ce7a82a13a54e8ceabb",
              "status": "affected",
              "version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
              "versionType": "git"
            },
            {
              "lessThan": "2ec99b922f4661521927eeada76f431eebfbabc4",
              "status": "affected",
              "version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
              "versionType": "git"
            },
            {
              "lessThan": "44e1a079e18f78d6594a715b0c6d7e18c656f7b9",
              "status": "affected",
              "version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
              "versionType": "git"
            },
            {
              "lessThan": "5bd398e20f0833ae8a1267d4f343591a2dd20185",
              "status": "affected",
              "version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/host/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Detect events pointing to unexpected TREs\n\nWhen a remote device sends a completion event to the host, it contains a\npointer to the consumed TRE. The host uses this pointer to process all of\nthe TREs between it and the host\u0027s local copy of the ring\u0027s read pointer.\nThis works when processing completion for chained transactions, but can\nlead to nasty results if the device sends an event for a single-element\ntransaction with a read pointer that is multiple elements ahead of the\nhost\u0027s read pointer.\n\nFor instance, if the host accesses an event ring while the device is\nupdating it, the pointer inside of the event might still point to an old\nTRE. If the host uses the channel\u0027s xfer_cb() to directly free the buffer\npointed to by the TRE, the buffer will be double-freed.\n\nThis behavior was observed on an ep that used upstream EP stack without\n\u0027commit 6f18d174b73d (\"bus: mhi: ep: Update read pointer only after buffer\nis written\")\u0027. Where the device updated the events ring pointer before\nupdating the event contents, so it left a window where the host was able to\naccess the stale data the event pointed to, before the device had the\nchance to update them. The usual pattern was that the host received an\nevent pointing to a TRE that is not immediately after the last processed\none, so it got treated as if it was a chained transaction, processing all\nof the TREs in between the two read pointers.\n\nThis commit aims to harden the host by ensuring transactions where the\nevent points to a TRE that isn\u0027t local_rp + 1 are chained.\n\n[mani: added stable tag and reworded commit message]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T16:56:38.643Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530"
        },
        {
          "url": "https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185"
        }
      ],
      "title": "bus: mhi: host: Detect events pointing to unexpected TREs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39790",
    "datePublished": "2025-09-11T16:56:38.643Z",
    "dateReserved": "2025-04-16T07:20:57.131Z",
    "dateUpdated": "2025-09-11T16:56:38.643Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39790\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-11T17:15:45.360\",\"lastModified\":\"2025-09-15T15:22:38.297\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbus: mhi: host: Detect events pointing to unexpected TREs\\n\\nWhen a remote device sends a completion event to the host, it contains a\\npointer to the consumed TRE. The host uses this pointer to process all of\\nthe TREs between it and the host\u0027s local copy of the ring\u0027s read pointer.\\nThis works when processing completion for chained transactions, but can\\nlead to nasty results if the device sends an event for a single-element\\ntransaction with a read pointer that is multiple elements ahead of the\\nhost\u0027s read pointer.\\n\\nFor instance, if the host accesses an event ring while the device is\\nupdating it, the pointer inside of the event might still point to an old\\nTRE. If the host uses the channel\u0027s xfer_cb() to directly free the buffer\\npointed to by the TRE, the buffer will be double-freed.\\n\\nThis behavior was observed on an ep that used upstream EP stack without\\n\u0027commit 6f18d174b73d (\\\"bus: mhi: ep: Update read pointer only after buffer\\nis written\\\")\u0027. Where the device updated the events ring pointer before\\nupdating the event contents, so it left a window where the host was able to\\naccess the stale data the event pointed to, before the device had the\\nchance to update them. The usual pattern was that the host received an\\nevent pointing to a TRE that is not immediately after the last processed\\none, so it got treated as if it was a chained transaction, processing all\\nof the TREs in between the two read pointers.\\n\\nThis commit aims to harden the host by ensuring transactions where the\\nevent points to a TRE that isn\u0027t local_rp + 1 are chained.\\n\\n[mani: added stable tag and reworded commit message]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.