Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-50150

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
07/11/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: altmode should keep reference to parent<br /> <br /> The altmode device release refers to its parent device, but without keeping<br /> a reference to it.<br /> <br /> When registering the altmode, get a reference to the parent and put it in<br /> the release function.<br /> <br /> Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues<br /> like this:<br /> <br /> [ 43.572860] kobject: &amp;#39;port0.0&amp;#39; (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)<br /> [ 43.573532] kobject: &amp;#39;port0.1&amp;#39; (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)<br /> [ 43.574407] kobject: &amp;#39;port0&amp;#39; (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)<br /> [ 43.575059] kobject: &amp;#39;port1.0&amp;#39; (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)<br /> [ 43.575908] kobject: &amp;#39;port1.1&amp;#39; (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)<br /> [ 43.576908] kobject: &amp;#39;typec&amp;#39; (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)<br /> [ 43.577769] kobject: &amp;#39;port1&amp;#39; (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)<br /> [ 46.612867] ==================================================================<br /> [ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129<br /> [ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48<br /> [ 46.614538]<br /> [ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535<br /> [ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014<br /> [ 46.616042] Workqueue: events kobject_delayed_cleanup<br /> [ 46.616446] Call Trace:<br /> [ 46.616648] <br /> [ 46.616820] dump_stack_lvl+0x5b/0x7c<br /> [ 46.617112] ? typec_altmode_release+0x38/0x129<br /> [ 46.617470] print_report+0x14c/0x49e<br /> [ 46.617769] ? rcu_read_unlock_sched+0x56/0x69<br /> [ 46.618117] ? __virt_addr_valid+0x19a/0x1ab<br /> [ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d<br /> [ 46.618807] ? typec_altmode_release+0x38/0x129<br /> [ 46.619161] kasan_report+0x8d/0xb4<br /> [ 46.619447] ? typec_altmode_release+0x38/0x129<br /> [ 46.619809] ? process_scheduled_works+0x3cb/0x85f<br /> [ 46.620185] typec_altmode_release+0x38/0x129<br /> [ 46.620537] ? process_scheduled_works+0x3cb/0x85f<br /> [ 46.620907] device_release+0xaf/0xf2<br /> [ 46.621206] kobject_delayed_cleanup+0x13b/0x17a<br /> [ 46.621584] process_scheduled_works+0x4f6/0x85f<br /> [ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10<br /> [ 46.622353] ? hlock_class+0x31/0x9a<br /> [ 46.622647] ? lock_acquired+0x361/0x3c3<br /> [ 46.622956] ? move_linked_works+0x46/0x7d<br /> [ 46.623277] worker_thread+0x1ce/0x291<br /> [ 46.623582] ? __kthread_parkme+0xc8/0xdf<br /> [ 46.623900] ? __pfx_worker_thread+0x10/0x10<br /> [ 46.624236] kthread+0x17e/0x190<br /> [ 46.624501] ? kthread+0xfb/0x190<br /> [ 46.624756] ? __pfx_kthread+0x10/0x10<br /> [ 46.625015] ret_from_fork+0x20/0x40<br /> [ 46.625268] ? __pfx_kthread+0x10/0x10<br /> [ 46.625532] ret_from_fork_asm+0x1a/0x30<br /> [ 46.625805] <br /> [ 46.625953]<br /> [ 46.626056] Allocated by task 678:<br /> [ 46.626287] kasan_save_stack+0x24/0x44<br /> [ 46.626555] kasan_save_track+0x14/0x2d<br /> [ 46.626811] __kasan_kmalloc+0x3f/0x4d<br /> [ 46.627049] __kmalloc_noprof+0x1bf/0x1f0<br /> [ 46.627362] typec_register_port+0x23/0x491<br /> [ 46.627698] cros_typec_probe+0x634/0xbb6<br /> [ 46.628026] platform_probe+0x47/0x8c<br /> [ 46.628311] really_probe+0x20a/0x47d<br /> [ 46.628605] device_driver_attach+0x39/0x72<br /> [ 46.628940] bind_store+0x87/0xd7<br /> [ 46.629213] kernfs_fop_write_iter+0x1aa/0x218<br /> [ 46.629574] vfs_write+0x1d6/0x29b<br /> [ 46.629856] ksys_write+0xcd/0x13b<br /> [ 46.630128] do_syscall_64+0xd4/0x139<br /> [ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 46.630820]<br /> [ 46.630946] Freed by task 48:<br /> [ 46.631182] kasan_save_stack+0x24/0x44<br /> [ 46.631493] kasan_save_track+0x14/0x2d<br /> [ 46.631799] kasan_save_free_info+0x3f/0x4d<br /> [ 46.632144] __kasan_slab_free+0x37/0x45<br /> [ 46.632474]<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19 (including) 4.19.323 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.285 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.229 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.170 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.115 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.59 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools