CVE-2024-39495
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
12/07/2024
Last modified:
20/08/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
greybus: Fix use-after-free bug in gb_interface_release due to race condition.<br />
<br />
In gb_interface_create, &intf->mode_switch_completion is bound with<br />
gb_interface_mode_switch_work. Then it will be started by<br />
gb_interface_request_mode_switch. Here is the relevant code.<br />
if (!queue_work(system_long_wq, &intf->mode_switch_work)) {<br />
...<br />
}<br />
<br />
If we call gb_interface_release to make cleanup, there may be an<br />
unfinished work. This function will call kfree to free the object<br />
"intf". However, if gb_interface_mode_switch_work is scheduled to<br />
run after kfree, it may cause use-after-free error as<br />
gb_interface_mode_switch_work will use the object "intf".<br />
The possible execution flow that may lead to the issue is as follows:<br />
<br />
CPU0 CPU1<br />
<br />
| gb_interface_create<br />
| gb_interface_request_mode_switch<br />
gb_interface_release |<br />
kfree(intf) (free) |<br />
| gb_interface_mode_switch_work<br />
| mutex_lock(&intf->mutex) (use)<br />
<br />
Fix it by canceling the work before kfree.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.279 (excluding) | |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.221 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.162 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.95 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.35 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.6 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445
- https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea
- https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83
- https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce
- https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201
- https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc
- https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9