Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26875

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
17/04/2024
Last modified:
21/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: pvrusb2: fix uaf in pvr2_context_set_notify<br /> <br /> [Syzbot reported]<br /> BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35<br /> Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26<br /> <br /> CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> Workqueue: usb_hub_wq hub_event<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0xc4/0x620 mm/kasan/report.c:488<br /> kasan_report+0xda/0x110 mm/kasan/report.c:601<br /> pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35<br /> pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]<br /> pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272<br /> <br /> Freed by task 906:<br /> kasan_save_stack+0x33/0x50 mm/kasan/common.c:47<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br /> kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640<br /> poison_slab_object mm/kasan/common.c:241 [inline]<br /> __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257<br /> kasan_slab_free include/linux/kasan.h:184 [inline]<br /> slab_free_hook mm/slub.c:2121 [inline]<br /> slab_free mm/slub.c:4299 [inline]<br /> kfree+0x105/0x340 mm/slub.c:4409<br /> pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]<br /> pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158<br /> <br /> [Analyze]<br /> Task A set disconnect_flag = !0, which resulted in Task B&amp;#39;s condition being met<br /> and releasing mp, leading to this issue.<br /> <br /> [Fix]<br /> Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect()<br /> to avoid this issue.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 6.40 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
6.40
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.26 (including) 4.19.311 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.273 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.214 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.153 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.83 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8 (including) 6.8.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools