CVE-2024-39495 greybus: Fix use-after-free bug in gb_interface_release due to race condition.

2024-07-1212:20:31

Linux

github.com

linux kernel

vulnerability

greybus

use-after-free

race condition

kfree

canceling work

AI Score

7.2

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

In the Linux kernel, the following vulnerability has been resolved:

greybus: Fix use-after-free bug in gb_interface_release due to race condition.

In gb_interface_create, &intf->mode_switch_completion is bound with
gb_interface_mode_switch_work. Then it will be started by
gb_interface_request_mode_switch. Here is the relevant code.
if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
…
}

If we call gb_interface_release to make cleanup, there may be an
unfinished work. This function will call kfree to free the object
“intf”. However, if gb_interface_mode_switch_work is scheduled to
run after kfree, it may cause use-after-free error as
gb_interface_mode_switch_work will use the object “intf”.
The possible execution flow that may lead to the issue is as follows:

CPU0 CPU1

                        |   gb_interface_create
                        |   gb_interface_request_mode_switch

gb_interface_release |
kfree(intf) (free) |
| gb_interface_mode_switch_work
| mutex_lock(&intf->mutex) (use)

Fix it by canceling the work before kfree.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "74cd0a421896",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "2b6bb0b4abfd",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "fb071f5c75d4",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "9a733d69a4a5",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "0b8fba38bdfb",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "03ea2b129344",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "5c9c5d7f26ac",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "drivers/greybus/interface.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "unaffected",
        "version": "5.4.279",
        "versionType": "custom",
        "lessThanOrEqual": "5.4.*"
      },
      {
        "status": "unaffected",
        "version": "5.10.221",
        "versionType": "custom",
        "lessThanOrEqual": "5.10.*"
      },
      {
        "status": "unaffected",
        "version": "5.15.162",
        "versionType": "custom",
        "lessThanOrEqual": "5.15.*"
      },
      {
        "status": "unaffected",
        "version": "6.1.95",
        "versionType": "custom",
        "lessThanOrEqual": "6.1.*"
      },
      {
        "status": "unaffected",
        "version": "6.6.35",
        "versionType": "custom",
        "lessThanOrEqual": "6.6.*"
      },
      {
        "status": "unaffected",
        "version": "6.9.6",
        "versionType": "custom",
        "lessThanOrEqual": "6.9.*"
      },
      {
        "status": "unaffected",
        "version": "6.10",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "drivers/greybus/interface.c"
    ],
    "defaultStatus": "affected"
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
    ],
    "vendor": "linux",
    "product": "linux_kernel",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "74cd0a421896",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "2b6bb0b4abfd",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "fb071f5c75d4",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "9a733d69a4a5",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "0b8fba38bdfb",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "03ea2b129344",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "5c9c5d7f26ac",
        "versionType": "git"
      }
    ],
    "defaultStatus": "unaffected"
  }
]