CVE-2024-26996
Vulnerability from cvelistv5
Published
2024-05-01 05:28
Modified
2024-12-19 08:52
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error When ncm function is working and then stop usb0 interface for link down, eth_stop() is called. At this piont, accidentally if usb transport error should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled. After that, ncm_disable() is called to disable for ncm unbind but gether_disconnect() is never called since 'in_ep' is not enabled. As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL. And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object. Therefore, once usb0 interface is up and eth_start_xmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory. [function unlink via configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> error happens in usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() since ncm->port.in_ep->enabled is false. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm [function link via configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established.
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26996",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-10T18:35:08.216292Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:22:50.015Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.862Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_ncm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7f67c2020cb08499c400abf0fc32c65e4d9a09ca",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0588bbbd718a8130b98c54518f1e0b569ce60a93",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f356fd0cbd9c9cbd0854657a80d1608d0d732db3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7250326cbb1f4f90391ac511a126b936cefb5bb7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6334b8e4553cc69f51e383c9de545082213d785e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_ncm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), \u0027in_ep\u0027 and/or \u0027out_ep\u0027 may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since \u0027in_ep\u0027 is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut \u0027dev-\u003eport_usb\u0027 associated to \u0027ncm-\u003eport\u0027 is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n  usb0: eth_stop dev-\u003eport_usb=ffffff9b179c3200\n  --\u003e error happens in usb_ep_enable().\n  NCM: ncm_disable: ncm=ffffff9b179c3200\n  --\u003e no gether_disconnect() since ncm-\u003eport.in_ep-\u003eenabled is false.\n  NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n  NCM: ncm_free: ncm free ncm=ffffff9b179c3200   \u003c-- released ncm\n\n[function link via configfs]\n  NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n  NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n  NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n  usb0: eth_open dev-\u003eport_usb=ffffff9b179c3200  \u003c-- previous released ncm\n  usb0: eth_start dev-\u003eport_usb=ffffff9b179c3200 \u003c--\n  eth_start_xmit()\n  --\u003e dev-\u003ewrap()\n  Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if \u0027ncm-\u003enetdev\u0027 is not NULL at\nncm_disable() to call gether_disconnect() to deassociate \u0027dev-\u003eport_usb\u0027.\nIt\u0027s more reasonable to check \u0027ncm-\u003enetdev\u0027 to call gether_connect/disconnect\nrather than check \u0027ncm-\u003eport.in_ep-\u003eenabled\u0027 since it might not be enabled\nbut the gether connection might be established."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:52:08.206Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93"
        },
        {
          "url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3"
        },
        {
          "url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e"
        }
      ],
      "title": "usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26996",
    "datePublished": "2024-05-01T05:28:16.652Z",
    "dateReserved": "2024-02-19T14:20:24.206Z",
    "dateUpdated": "2024-12-19T08:52:08.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26996\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-01T06:15:17.480\",\"lastModified\":\"2024-11-21T09:03:34.937\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\\n\\nWhen ncm function is working and then stop usb0 interface for link down,\\neth_stop() is called. At this piont, accidentally if usb transport error\\nshould happen in usb_ep_enable(), \u0027in_ep\u0027 and/or \u0027out_ep\u0027 may not be enabled.\\n\\nAfter that, ncm_disable() is called to disable for ncm unbind\\nbut gether_disconnect() is never called since \u0027in_ep\u0027 is not enabled.\\n\\nAs the result, ncm object is released in ncm unbind\\nbut \u0027dev-\u003eport_usb\u0027 associated to \u0027ncm-\u003eport\u0027 is not NULL.\\n\\nAnd when ncm bind again to recover netdev, ncm object is reallocated\\nbut usb0 interface is already associated to previous released ncm object.\\n\\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\\n\\n[function unlink via configfs]\\n  usb0: eth_stop dev-\u003eport_usb=ffffff9b179c3200\\n  --\u003e error happens in usb_ep_enable().\\n  NCM: ncm_disable: ncm=ffffff9b179c3200\\n  --\u003e no gether_disconnect() since ncm-\u003eport.in_ep-\u003eenabled is false.\\n  NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\\n  NCM: ncm_free: ncm free ncm=ffffff9b179c3200   \u003c-- released ncm\\n\\n[function link via configfs]\\n  NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\\n  NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\\n  NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\\n  usb0: eth_open dev-\u003eport_usb=ffffff9b179c3200  \u003c-- previous released ncm\\n  usb0: eth_start dev-\u003eport_usb=ffffff9b179c3200 \u003c--\\n  eth_start_xmit()\\n  --\u003e dev-\u003ewrap()\\n  Unable to handle kernel paging request at virtual address dead00000000014f\\n\\nThis patch addresses the issue by checking if \u0027ncm-\u003enetdev\u0027 is not NULL at\\nncm_disable() to call gether_disconnect() to deassociate \u0027dev-\u003eport_usb\u0027.\\nIt\u0027s more reasonable to check \u0027ncm-\u003enetdev\u0027 to call gether_connect/disconnect\\nrather than check \u0027ncm-\u003eport.in_ep-\u003eenabled\u0027 since it might not be enabled\\nbut the gether connection might be established.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: f_ncm: corrige el objeto UAF ncm al volver a vincularlo despu\u00e9s del error de transporte usb ep Cuando la funci\u00f3n ncm est\u00e1 funcionando y luego detiene la interfaz usb0 para desconectar el enlace, se llama a eth_stop() . En este punto, accidentalmente, si ocurre un error de transporte USB en usb_ep_enable(), es posible que \u0027in_ep\u0027 y/o \u0027out_ep\u0027 no est\u00e9n habilitados. Despu\u00e9s de eso, se llama a ncm_disable() para deshabilitar ncm unbind, pero nunca se llama a gether_disconnect() ya que \u0027in_ep\u0027 no est\u00e1 habilitado. Como resultado, el objeto ncm se libera en ncm unbind pero \u0027dev-\u0026gt;port_usb\u0027 asociado a \u0027ncm-\u0026gt;port\u0027 no es NULL. Y cuando ncm se vincula nuevamente para recuperar netdev, el objeto ncm se reasigna pero la interfaz usb0 ya est\u00e1 asociada al objeto ncm lanzado anteriormente. Por lo tanto, una vez que la interfaz usb0 est\u00e1 activa y se llama a eth_start_xmit(), el objeto ncm liberado se desreferencia y podr\u00eda causar memoria de use-after-free. [funci\u00f3n de desvinculaci\u00f3n a trav\u00e9s de configfs] usb0: eth_stop dev-\u0026gt;port_usb=ffffff9b179c3200 --\u0026gt; el error ocurre en usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --\u0026gt; no gether_disconnect() ya que ncm-\u0026gt;port.in_ep-\u0026gt;enabled es falso. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 \u0026lt;-- ncm liberado [enlace de funci\u00f3n a trav\u00e9s de configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: cm enlazar ncm=ffffff9ac4f8a000 NCM: ncm_set_alt : ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev-\u0026gt;port_usb=ffffff9b179c3200 \u0026lt;-- ncm usb0 lanzado anteriormente: eth_start dev-\u0026gt;port_usb=ffffff9b179c3200 \u0026lt;-- eth_start_xmit() --\u0026gt; dev-\u0026gt;wrap() No se puede manejar el kernel solicitud de paginaci\u00f3n en la direcci\u00f3n virtual dead00000000014f Este parche soluciona el problema verificando si \u0027ncm-\u0026gt;netdev\u0027 no es NULL en ncm_disable() para llamar a gether_disconnect() para desasociar \u0027dev-\u0026gt;port_usb\u0027. Es m\u00e1s razonable marcar \u0027ncm-\u0026gt;netdev\u0027 para llamar a gether_connect/disconnect en lugar de marcar \u0027ncm-\u0026gt;port.in_ep-\u0026gt;enabled\u0027 ya que es posible que no est\u00e9 habilitado pero que se pueda establecer la conexi\u00f3n conjunta.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.