cve-2024-26932
Vulnerability from cvelistv5
Published
2024-05-01 05:17
Modified
2024-12-19 08:50
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd() When unregister pd capabilitie in tcpm, KASAN will capture below double -free issue. The root cause is the same capabilitiy will be kfreed twice, the first time is kfreed by pd_capabilities_release() and the second time is explicitly kfreed by tcpm_port_unregister_pd(). [ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc [ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10 [ 4.001206] [ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53 [ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT) [ 4.017569] Workqueue: events_unbound deferred_probe_work_func [ 4.023456] Call trace: [ 4.025920] dump_backtrace+0x94/0xec [ 4.029629] show_stack+0x18/0x24 [ 4.032974] dump_stack_lvl+0x78/0x90 [ 4.036675] print_report+0xfc/0x5c0 [ 4.040289] kasan_report_invalid_free+0xa0/0xc0 [ 4.044937] __kasan_slab_free+0x124/0x154 [ 4.049072] kfree+0xb4/0x1e8 [ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc [ 4.056725] tcpm_register_port+0x1dd0/0x2558 [ 4.061121] tcpci_register_port+0x420/0x71c [ 4.065430] tcpci_probe+0x118/0x2e0 To fix the issue, this will remove kree() from tcpm_port_unregister_pd().
Impacted products
Vendor Product Version
Linux Linux Version: 6.8
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "cd099cde4ed2"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "6.8"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unknown",
                "version": "0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unknown",
                "version": "6.8.3"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unknown",
                "version": "6.9"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26932",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-16T17:47:41.356254Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-415",
                "description": "CWE-415 Double Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:03.852Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.593Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/242e425ed580b2f4dbcb86c8fc03a410a4084a69"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b63f90487bdf93a4223ce7853d14717e9d452856"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/tcpm/tcpm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "242e425ed580b2f4dbcb86c8fc03a410a4084a69",
              "status": "affected",
              "version": "cd099cde4ed264403b434d8344994f97ac2a4349",
              "versionType": "git"
            },
            {
              "lessThan": "b63f90487bdf93a4223ce7853d14717e9d452856",
              "status": "affected",
              "version": "cd099cde4ed264403b434d8344994f97ac2a4349",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/tcpm/tcpm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()\n\nWhen unregister pd capabilitie in tcpm, KASAN will capture below double\n-free issue. The root cause is the same capabilitiy will be kfreed twice,\nthe first time is kfreed by pd_capabilities_release() and the second time\nis explicitly kfreed by tcpm_port_unregister_pd().\n\n[    3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc\n[    3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10\n[    4.001206]\n[    4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53\n[    4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)\n[    4.017569] Workqueue: events_unbound deferred_probe_work_func\n[    4.023456] Call trace:\n[    4.025920]  dump_backtrace+0x94/0xec\n[    4.029629]  show_stack+0x18/0x24\n[    4.032974]  dump_stack_lvl+0x78/0x90\n[    4.036675]  print_report+0xfc/0x5c0\n[    4.040289]  kasan_report_invalid_free+0xa0/0xc0\n[    4.044937]  __kasan_slab_free+0x124/0x154\n[    4.049072]  kfree+0xb4/0x1e8\n[    4.052069]  tcpm_port_unregister_pd+0x1a4/0x3dc\n[    4.056725]  tcpm_register_port+0x1dd0/0x2558\n[    4.061121]  tcpci_register_port+0x420/0x71c\n[    4.065430]  tcpci_probe+0x118/0x2e0\n\nTo fix the issue, this will remove kree() from tcpm_port_unregister_pd()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:50:34.539Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/242e425ed580b2f4dbcb86c8fc03a410a4084a69"
        },
        {
          "url": "https://git.kernel.org/stable/c/b63f90487bdf93a4223ce7853d14717e9d452856"
        }
      ],
      "title": "usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26932",
    "datePublished": "2024-05-01T05:17:19.129Z",
    "dateReserved": "2024-02-19T14:20:24.195Z",
    "dateUpdated": "2024-12-19T08:50:34.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26932\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-01T06:15:07.810\",\"lastModified\":\"2024-11-21T09:03:24.980\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()\\n\\nWhen unregister pd capabilitie in tcpm, KASAN will capture below double\\n-free issue. The root cause is the same capabilitiy will be kfreed twice,\\nthe first time is kfreed by pd_capabilities_release() and the second time\\nis explicitly kfreed by tcpm_port_unregister_pd().\\n\\n[    3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc\\n[    3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10\\n[    4.001206]\\n[    4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53\\n[    4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)\\n[    4.017569] Workqueue: events_unbound deferred_probe_work_func\\n[    4.023456] Call trace:\\n[    4.025920]  dump_backtrace+0x94/0xec\\n[    4.029629]  show_stack+0x18/0x24\\n[    4.032974]  dump_stack_lvl+0x78/0x90\\n[    4.036675]  print_report+0xfc/0x5c0\\n[    4.040289]  kasan_report_invalid_free+0xa0/0xc0\\n[    4.044937]  __kasan_slab_free+0x124/0x154\\n[    4.049072]  kfree+0xb4/0x1e8\\n[    4.052069]  tcpm_port_unregister_pd+0x1a4/0x3dc\\n[    4.056725]  tcpm_register_port+0x1dd0/0x2558\\n[    4.061121]  tcpci_register_port+0x420/0x71c\\n[    4.065430]  tcpci_probe+0x118/0x2e0\\n\\nTo fix the issue, this will remove kree() from tcpm_port_unregister_pd().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: usb: typec: tcpm: soluciona el problema de doble liberaci\u00f3n en tcpm_port_unregister_pd() Cuando se cancela el registro de la capacidad de pd en tcpm, KASAN capturar\u00e1 el siguiente problema de doble liberaci\u00f3n. La causa principal es que la misma capacidad se liberar\u00e1 dos veces, la primera vez se liberar\u00e1 mediante pd_capabilities_release() y la segunda vez se liberar\u00e1 expl\u00edcitamente mediante tcpm_port_unregister_pd(). [3.988059] ERROR: KASAN: doble liberaci\u00f3n en tcpm_port_unregister_pd+0x1a4/0x3dc [3.995001] Libre de direcci\u00f3n ffff0008164d3000 por tarea kworker/u16:0/10 [4.001206] [4.002712] CPU: 2 PID: 10 Co mm: ktrabajador/u16: 0 No contaminado 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53 [4.012402] Nombre del hardware: Freescale i.MX8QXP MEK (DT) [4.017569] Cola de trabajo: events_unbound deferred_probe_work_func [4.023456] Seguimiento de llamadas: [ 4.025920] dump_backtrace+ 0x94/0xec [ 4.029629] show_stack+0x18/0x24 [ 4.032974] dump_stack_lvl+0x78/0x90 [ 4.036675] print_report+0xfc/0x5c0 [ 4.040289] kasan_report_invalid_free+0xa0/0xc0 [ 4 .044937] __kasan_slab_free+0x124/0x154 [ 4.049072] kfree+0xb4/ 0x1e8 [ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc [ 4.056725] tcpm_register_port+0x1dd0/0x2558 [ 4.061121] tcpci_register_port+0x420/0x71c [ 4.065430] +0x118/0x2e0 Para solucionar el problema, esto eliminar\u00e1 kree() de tcpm_port_unregister_pd().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-415\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-415\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"6.8\",\"versionEndExcluding\":\"6.8.3\",\"matchCriteriaId\":\"1649B701-9DF9-4E5D-AA4B-6A7071BF05D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/242e425ed580b2f4dbcb86c8fc03a410a4084a69\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b63f90487bdf93a4223ce7853d14717e9d452856\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/242e425ed580b2f4dbcb86c8fc03a410a4084a69\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b63f90487bdf93a4223ce7853d14717e9d452856\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.