Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-53068

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
19/11/2024
Last modified:
06/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()<br /> <br /> The scmi_dev-&gt;name is released prematurely in __scmi_device_destroy(),<br /> which causes slab-use-after-free when accessing scmi_dev-&gt;name in<br /> scmi_bus_notifier(). So move the release of scmi_dev-&gt;name to<br /> scmi_device_release() to avoid slab-use-after-free.<br /> <br /> | BUG: KASAN: slab-use-after-free in strncmp+0xe4/0xec<br /> | Read of size 1 at addr ffffff80a482bcc0 by task swapper/0/1<br /> |<br /> | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.6.38-debug #1<br /> | Hardware name: Qualcomm Technologies, Inc. SA8775P Ride (DT)<br /> | Call trace:<br /> | dump_backtrace+0x94/0x114<br /> | show_stack+0x18/0x24<br /> | dump_stack_lvl+0x48/0x60<br /> | print_report+0xf4/0x5b0<br /> | kasan_report+0xa4/0xec<br /> | __asan_report_load1_noabort+0x20/0x2c<br /> | strncmp+0xe4/0xec<br /> | scmi_bus_notifier+0x5c/0x54c<br /> | notifier_call_chain+0xb4/0x31c<br /> | blocking_notifier_call_chain+0x68/0x9c<br /> | bus_notify+0x54/0x78<br /> | device_del+0x1bc/0x840<br /> | device_unregister+0x20/0xb4<br /> | __scmi_device_destroy+0xac/0x280<br /> | scmi_device_destroy+0x94/0xd0<br /> | scmi_chan_setup+0x524/0x750<br /> | scmi_probe+0x7fc/0x1508<br /> | platform_probe+0xc4/0x19c<br /> | really_probe+0x32c/0x99c<br /> | __driver_probe_device+0x15c/0x3c4<br /> | driver_probe_device+0x5c/0x170<br /> | __driver_attach+0x1c8/0x440<br /> | bus_for_each_dev+0xf4/0x178<br /> | driver_attach+0x3c/0x58<br /> | bus_add_driver+0x234/0x4d4<br /> | driver_register+0xf4/0x3c0<br /> | __platform_driver_register+0x60/0x88<br /> | scmi_driver_init+0xb0/0x104<br /> | do_one_initcall+0xb4/0x664<br /> | kernel_init_freeable+0x3c8/0x894<br /> | kernel_init+0x24/0x1e8<br /> | ret_from_fork+0x10/0x20<br /> |<br /> | Allocated by task 1:<br /> | kasan_save_stack+0x2c/0x54<br /> | kasan_set_track+0x2c/0x40<br /> | kasan_save_alloc_info+0x24/0x34<br /> | __kasan_kmalloc+0xa0/0xb8<br /> | __kmalloc_node_track_caller+0x6c/0x104<br /> | kstrdup+0x48/0x84<br /> | kstrdup_const+0x34/0x40<br /> | __scmi_device_create.part.0+0x8c/0x408<br /> | scmi_device_create+0x104/0x370<br /> | scmi_chan_setup+0x2a0/0x750<br /> | scmi_probe+0x7fc/0x1508<br /> | platform_probe+0xc4/0x19c<br /> | really_probe+0x32c/0x99c<br /> | __driver_probe_device+0x15c/0x3c4<br /> | driver_probe_device+0x5c/0x170<br /> | __driver_attach+0x1c8/0x440<br /> | bus_for_each_dev+0xf4/0x178<br /> | driver_attach+0x3c/0x58<br /> | bus_add_driver+0x234/0x4d4<br /> | driver_register+0xf4/0x3c0<br /> | __platform_driver_register+0x60/0x88<br /> | scmi_driver_init+0xb0/0x104<br /> | do_one_initcall+0xb4/0x664<br /> | kernel_init_freeable+0x3c8/0x894<br /> | kernel_init+0x24/0x1e8<br /> | ret_from_fork+0x10/0x20<br /> |<br /> | Freed by task 1:<br /> | kasan_save_stack+0x2c/0x54<br /> | kasan_set_track+0x2c/0x40<br /> | kasan_save_free_info+0x38/0x5c<br /> | __kasan_slab_free+0xe8/0x164<br /> | __kmem_cache_free+0x11c/0x230<br /> | kfree+0x70/0x130<br /> | kfree_const+0x20/0x40<br /> | __scmi_device_destroy+0x70/0x280<br /> | scmi_device_destroy+0x94/0xd0<br /> | scmi_chan_setup+0x524/0x750<br /> | scmi_probe+0x7fc/0x1508<br /> | platform_probe+0xc4/0x19c<br /> | really_probe+0x32c/0x99c<br /> | __driver_probe_device+0x15c/0x3c4<br /> | driver_probe_device+0x5c/0x170<br /> | __driver_attach+0x1c8/0x440<br /> | bus_for_each_dev+0xf4/0x178<br /> | driver_attach+0x3c/0x58<br /> | bus_add_driver+0x234/0x4d4<br /> | driver_register+0xf4/0x3c0<br /> | __platform_driver_register+0x60/0x88<br /> | scmi_driver_init+0xb0/0x104<br /> | do_one_initcall+0xb4/0x664<br /> | kernel_init_freeable+0x3c8/0x894<br /> | kernel_init+0x24/0x1e8<br /> | ret_from_fork+0x10/0x20

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.6 (including) 6.6.61 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools