CVE-2025-21656: Resolving Linux Kernel Vulnerability in hwmon (drivetemp)

In the Linux kernel, a vulnerability has been recently resolved in the hwmon subsystem, specifically in the drivetemp driver. The vulnerability stems from the driver producing garbage data when SCSI errors occur. This article will provide an overview of the vulnerability, include a code snippet that demonstrates the issue, outline the exploit details, and provide links to the original references discussing the problem and its resolution.

Vulnerability Details

The issue lies with the scsi_execute_cmd() function, which can return both negative (Linux error codes) and positive (scsi_cmnd result field) error codes. Currently, the drivetemp driver simply passes the error codes of scsi_execute_cmd() to the hwmon core. However, this is incorrect since the hwmon core only checks for negative error codes. As a result, when SCSI errors occur (e.g., when a disk drive is disconnected), hwmon reports uninitialized data to userspace, creating the potential for garbage data and ultimately compromising system performance and stability.

Here is a code snippet that demonstrates the problem

static int drv_get_temp(struct device *dev, u32 attr, int channel,
        	long *val)
{
	struct drv_dev *dd = dev_get_drvdata(dev);
	struct scsi_cmnd *cmd;
	struct scsi_sense_hdr sshdr;
	char *buffer;
	int err, ret = -ENODEV;

	cmd = scsi_host_get_command(dd->shost, DMA_FROM_DEVICE, GFP_KERNEL);
	if (!cmd)
		return -ENOMEM;

	/* snipped command preparation code */

	err = scsi_execute_cmd(cmd);
	if (err) {
		ret = scsi_normalize_sense(cmd->sense_buffer,
				SCSI_SENSE_BUFFERSIZE, &sshdr)
			? sshdr.ascq : -EIO;
		goto out_put_command;
	}

	/* snipped temperature extraction code */

out_put_command:
	scsi_host_put_command(cmd);
	return ret;
}

In this code snippet, the scsi_execute_cmd() function returns both positive and negative error codes, but the drivetemp only checks the negative error codes from the hwmon core.

Proposed Fix

The patch developed in response to this vulnerability properly checks the output of the scsi_execute_cmd() function and returns -EIO if its error code is positive, consequently avoiding the occurrence of uninitialized data being reported to userspace:

	/* ... */
	err = scsi_execute_cmd(cmd);
	if (err) {
		if (err > )
			err = -EIO;
		ret = scsi_normalize_sense(cmd->sense_buffer,
				SCSI_SENSE_BUFFERSIZE, &sshdr)
			? sshdr.ascq : err;
		goto out_put_command;
	}
	/* ... */

By implementing this fix, the drivetemp driver now accurately handles SCSI error codes and prevents the reporting of garbage data to userspace.

Original References

- The Linux Kernel Mailing List discussion where the issue was initially reported and addressed can be found here.
- The commit diff on the Linux kernel git repository that resolved the vulnerability is available here.

Conclusion

This post detailed the vulnerability CVE-2025-21656, which has now been resolved in the Linux kernel. The issue pertained to garbage data being produced by the drivetemp driver when SCSI errors occurred. A patch was created to properly check scsi_execute_cmd() output, preventing uninitialized data from being reported to userspace and maintaining system performance and stability.

Timeline

Published on: 01/21/2025 13:15:09 UTC