cve-2024-36961
Vulnerability from cvelistv5
Published
2024-06-03 07:49
Modified
2024-11-05 09:28
Severity ?
EPSS score ?
Summary
thermal/debugfs: Fix two locking issues with thermal zone debug
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:43:50.481Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:15:32.309097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:59.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c57bdd05054",
"status": "affected",
"version": "7ef01f228c9f",
"versionType": "git"
},
{
"lessThan": "c7f7c3727178",
"status": "affected",
"version": "7ef01f228c9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Fix two locking issues with thermal zone debug\n\nWith the current thermal zone locking arrangement in the debugfs code,\nuser space can open the \"mitigations\" file for a thermal zone before\nthe zone\u0027s debugfs pointer is set which will result in a NULL pointer\ndereference in tze_seq_start().\n\nMoreover, thermal_debug_tz_remove() is not called under the thermal\nzone lock, so it can run in parallel with the other functions accessing\nthe thermal zone\u0027s struct thermal_debugfs object. Then, it may clear\ntz-\u003edebugfs after one of those functions has checked it and the\nstruct thermal_debugfs object may be freed prematurely.\n\nTo address the first problem, pass a pointer to the thermal zone\u0027s\nstruct thermal_debugfs object to debugfs_create_file() in\nthermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),\ntze_seq_stop(), and tze_seq_show() retrieve it from s-\u003eprivate\ninstead of a pointer to the thermal zone object. This will ensure\nthat tz_debugfs will be valid across the \"mitigations\" file accesses\nuntil thermal_debugfs_remove_id() called by thermal_debug_tz_remove()\nremoves that file.\n\nTo address the second problem, use tz-\u003elock in thermal_debug_tz_remove()\naround the tz-\u003edebugfs value check (in case the same thermal zone is\nremoved at the same time in two different threads) and its reset to NULL.\n\nCc :6.8+ \u003cstable@vger.kernel.org\u003e # 6.8+"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T09:28:52.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e"
},
{
"url": "https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8"
}
],
"title": "thermal/debugfs: Fix two locking issues with thermal zone debug",
"x_generator": {
"engine": "bippy-9e1c9544281a"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36961",
"datePublished": "2024-06-03T07:49:59.621Z",
"dateReserved": "2024-05-30T15:25:07.081Z",
"dateUpdated": "2024-11-05T09:28:52.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-36961\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-03T08:15:09.660\",\"lastModified\":\"2024-06-03T14:46:24.250\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/debugfs: Fix two locking issues with thermal zone debug\\n\\nWith the current thermal zone locking arrangement in the debugfs code,\\nuser space can open the \\\"mitigations\\\" file for a thermal zone before\\nthe zone\u0027s debugfs pointer is set which will result in a NULL pointer\\ndereference in tze_seq_start().\\n\\nMoreover, thermal_debug_tz_remove() is not called under the thermal\\nzone lock, so it can run in parallel with the other functions accessing\\nthe thermal zone\u0027s struct thermal_debugfs object. Then, it may clear\\ntz-\u003edebugfs after one of those functions has checked it and the\\nstruct thermal_debugfs object may be freed prematurely.\\n\\nTo address the first problem, pass a pointer to the thermal zone\u0027s\\nstruct thermal_debugfs object to debugfs_create_file() in\\nthermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),\\ntze_seq_stop(), and tze_seq_show() retrieve it from s-\u003eprivate\\ninstead of a pointer to the thermal zone object. This will ensure\\nthat tz_debugfs will be valid across the \\\"mitigations\\\" file accesses\\nuntil thermal_debugfs_remove_id() called by thermal_debug_tz_remove()\\nremoves that file.\\n\\nTo address the second problem, use tz-\u003elock in thermal_debug_tz_remove()\\naround the tz-\u003edebugfs value check (in case the same thermal zone is\\nremoved at the same time in two different threads) and its reset to NULL.\\n\\nCc :6.8+ \u003cstable@vger.kernel.org\u003e # 6.8+\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/debugfs: soluciona dos problemas de bloqueo con la depuraci\u00f3n de la zona t\u00e9rmica. Con la disposici\u00f3n actual de bloqueo de la zona t\u00e9rmica en el c\u00f3digo debugfs, el espacio de usuario puede abrir el archivo de \\\"mitigaciones\\\" para una zona t\u00e9rmica antes. El puntero debugfs de la zona est\u00e1 configurado, lo que dar\u00e1 como resultado una desreferencia del puntero NULL en tze_seq_start(). Adem\u00e1s, Thermal_debug_tz_remove() no se llama bajo el bloqueo de la zona t\u00e9rmica, por lo que puede ejecutarse en paralelo con las otras funciones que acceden al objeto struct Thermal_debugfs de la zona t\u00e9rmica. Luego, puede borrar tz-\u0026gt;debugfs despu\u00e9s de que una de esas funciones lo haya verificado y el objeto struct Thermal_debugfs puede liberarse prematuramente. Para solucionar el primer problema, pase un puntero al objeto struct Thermal_debugfs de la zona t\u00e9rmica para debugfs_create_file() en Thermal_debug_tz_add() y haga que tze_seq_start(), tze_seq_next(), tze_seq_stop() y tze_seq_show() lo recuperen de s-\u0026gt;private. de un puntero al objeto de la zona t\u00e9rmica. Esto garantizar\u00e1 que tz_debugfs sea v\u00e1lido en todos los accesos a archivos de \\\"mitigaciones\\\" hasta que Thermal_debugfs_remove_id() llamado por Thermal_debug_tz_remove() elimine ese archivo. Para solucionar el segundo problema, use tz-\u0026gt;lock en Thermal_debug_tz_remove() alrededor de la verificaci\u00f3n del valor de tz-\u0026gt;debugfs (en caso de que la misma zona t\u00e9rmica se elimine al mismo tiempo en dos subprocesos diferentes) y se restablezca a NULL. CC :6.8+ # 6.8+\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.