Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-46746

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
18/09/2024
Last modified:
26/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: amd_sfh: free driver_data after destroying hid device<br /> <br /> HID driver callbacks aren&amp;#39;t called anymore once hid_destroy_device() has<br /> been called. Hence, hid driver_data should be freed only after the<br /> hid_destroy_device() function returned as driver_data is used in several<br /> callbacks.<br /> <br /> I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling<br /> KASAN to debug memory allocation, I got this output:<br /> <br /> [ 13.050438] ==================================================================<br /> [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]<br /> [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3<br /> [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479<br /> <br /> [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0<br /> [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024<br /> [ 13.067860] Call Trace:<br /> [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8<br /> [ 13.071486] <br /> [ 13.071492] dump_stack_lvl+0x5d/0x80<br /> [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -&gt; 0002)<br /> [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.082199] print_report+0x174/0x505<br /> [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.097464] kasan_report+0xc8/0x150<br /> [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]<br /> [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]<br /> [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]<br /> [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]<br /> [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0<br /> [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]<br /> [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.150446] ? __devm_add_action+0x167/0x1d0<br /> [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]<br /> [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.161814] platform_probe+0xa2/0x150<br /> [ 13.165029] really_probe+0x1e3/0x8a0<br /> [ 13.168243] __driver_probe_device+0x18c/0x370<br /> [ 13.171500] driver_probe_device+0x4a/0x120<br /> [ 13.175000] __driver_attach+0x190/0x4a0<br /> [ 13.178521] ? __pfx___driver_attach+0x10/0x10<br /> [ 13.181771] bus_for_each_dev+0x106/0x180<br /> [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10<br /> [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10<br /> [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.194382] bus_add_driver+0x29e/0x4d0<br /> [ 13.197328] driver_register+0x1a5/0x360<br /> [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]<br /> [ 13.203362] do_one_initcall+0xa7/0x380<br /> [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10<br /> [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 13.213211] ? kasan_unpoison+0x44/0x70<br /> [ 13.216688] do_init_module+0x238/0x750<br /> [ 13.2196<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.167 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.110 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.51 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.10 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools