CVE-2025-68367 (GCVE-0-2025-68367)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2025-12-24 10:32
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse The following warning appears when running syzkaller, and this issue also exists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The WARNING occurs when two processes concurrently write to the mac-hid emulation sysctl, causing a race condition in mac_hid_toggle_emumouse(). Both processes read old_val=0, then both try to register the input handler, leading to a double list_add of the same handler. CPU0 CPU1 ------------------------- ------------------------- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock() Fix this by moving the old_val read inside the mutex lock region.
References
Impacted products
Vendor Product Version
Linux Linux Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467
Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467
Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467
Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/macintosh/mac_hid.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "230621ffdb361d15cd3ef92d8b4fa8d314f4fad4",
              "status": "affected",
              "version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
              "versionType": "git"
            },
            {
              "lessThan": "388391dd1cc567fcf0b372b63d414c119d23e911",
              "status": "affected",
              "version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
              "versionType": "git"
            },
            {
              "lessThan": "48a7d427eb65922b3f17fbe00e2bbc7cb9eac381",
              "status": "affected",
              "version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
              "versionType": "git"
            },
            {
              "lessThan": "1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f",
              "status": "affected",
              "version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/macintosh/mac_hid.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse\n\nThe following warning appears when running syzkaller, and this issue also\nexists in the mainline code.\n\n ------------[ cut here ]------------\n list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.\n WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130\n Modules linked in:\n CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__list_add_valid_or_report+0xf7/0x130\n RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817\n RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001\n RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c\n R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100\n R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48\n FS:  00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 80000000\n Call Trace:\n  \u003cTASK\u003e\n  input_register_handler+0xb3/0x210\n  mac_hid_start_emulation+0x1c5/0x290\n  mac_hid_toggle_emumouse+0x20a/0x240\n  proc_sys_call_handler+0x4c2/0x6e0\n  new_sync_write+0x1b1/0x2d0\n  vfs_write+0x709/0x950\n  ksys_write+0x12a/0x250\n  do_syscall_64+0x5a/0x110\n  entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe WARNING occurs when two processes concurrently write to the mac-hid\nemulation sysctl, causing a race condition in mac_hid_toggle_emumouse().\nBoth processes read old_val=0, then both try to register the input handler,\nleading to a double list_add of the same handler.\n\n  CPU0                             CPU1\n  -------------------------        -------------------------\n  vfs_write() //write 1            vfs_write()  //write 1\n    proc_sys_write()                 proc_sys_write()\n      mac_hid_toggle_emumouse()          mac_hid_toggle_emumouse()\n        old_val = *valp // old_val=0\n                                           old_val = *valp // old_val=0\n                                           mutex_lock_killable()\n                                           proc_dointvec() // *valp=1\n                                           mac_hid_start_emulation()\n                                             input_register_handler()\n                                           mutex_unlock()\n        mutex_lock_killable()\n        proc_dointvec()\n        mac_hid_start_emulation()\n          input_register_handler() //Trigger Warning\n        mutex_unlock()\n\nFix this by moving the old_val read inside the mutex lock region."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:32:54.084Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911"
        },
        {
          "url": "https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f"
        }
      ],
      "title": "macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68367",
    "datePublished": "2025-12-24T10:32:54.084Z",
    "dateReserved": "2025-12-16T14:48:05.309Z",
    "dateUpdated": "2025-12-24T10:32:54.084Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68367\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:16:00.267\",\"lastModified\":\"2025-12-24T11:16:00.267\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmacintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse\\n\\nThe following warning appears when running syzkaller, and this issue also\\nexists in the mainline code.\\n\\n ------------[ cut here ]------------\\n list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.\\n WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130\\n Modules linked in:\\n CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\n RIP: 0010:__list_add_valid_or_report+0xf7/0x130\\n RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282\\n RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817\\n RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001\\n RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c\\n R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100\\n R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48\\n FS:  00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000\\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n PKRU: 80000000\\n Call Trace:\\n  \u003cTASK\u003e\\n  input_register_handler+0xb3/0x210\\n  mac_hid_start_emulation+0x1c5/0x290\\n  mac_hid_toggle_emumouse+0x20a/0x240\\n  proc_sys_call_handler+0x4c2/0x6e0\\n  new_sync_write+0x1b1/0x2d0\\n  vfs_write+0x709/0x950\\n  ksys_write+0x12a/0x250\\n  do_syscall_64+0x5a/0x110\\n  entry_SYSCALL_64_after_hwframe+0x78/0xe2\\n\\nThe WARNING occurs when two processes concurrently write to the mac-hid\\nemulation sysctl, causing a race condition in mac_hid_toggle_emumouse().\\nBoth processes read old_val=0, then both try to register the input handler,\\nleading to a double list_add of the same handler.\\n\\n  CPU0                             CPU1\\n  -------------------------        -------------------------\\n  vfs_write() //write 1            vfs_write()  //write 1\\n    proc_sys_write()                 proc_sys_write()\\n      mac_hid_toggle_emumouse()          mac_hid_toggle_emumouse()\\n        old_val = *valp // old_val=0\\n                                           old_val = *valp // old_val=0\\n                                           mutex_lock_killable()\\n                                           proc_dointvec() // *valp=1\\n                                           mac_hid_start_emulation()\\n                                             input_register_handler()\\n                                           mutex_unlock()\\n        mutex_lock_killable()\\n        proc_dointvec()\\n        mac_hid_start_emulation()\\n          input_register_handler() //Trigger Warning\\n        mutex_unlock()\\n\\nFix this by moving the old_val read inside the mutex lock region.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.