CVE-2024-35986
phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered
The power_supply frame-work is not really designed for there to be
long living in kernel references to power_supply devices.
Specifically unregistering a power_supply while some other code has
a reference to it triggers a WARN in power_supply_unregister():
WARN_ON(atomic_dec_return(&psy->use_cnt));
Folllowed by the power_supply still getting removed and the
backing data freed anyway, leaving the tusb1210 charger-detect code
with a dangling reference, resulting in a crash the next time
tusb1210_get_online() is called.
Fix this by only holding the reference in tusb1210_get_online()
freeing it at the end of the function. Note this still leaves
a theoretical race window, but it avoids the issue when manually
rmmod-ing the charger chip driver during development.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: phy: ti: tusb1210: resolver el bloqueo del cargador-det si el cargador psy no está registrado. El marco power_supply no está realmente manipulado para que haya referencias duraderas en el kernel a los dispositivos power_supply. Específicamente, cancelar el registro de un power_supply mientras algún otro código tiene una referencia a él activa una ADVERTENCIA en power_supply_unregister(): WARN_ON(atomic_dec_return(&psy->use_cnt)); Seguido por power_supply aún se elimina y los datos de respaldo se liberan de todos modos, dejando el código de detección del cargador tusb1210 con una referencia colgante, lo que resulta en un bloqueo la próxima vez que se llama a tusb1210_get_online(). Solucione este problema manteniendo únicamente la referencia en tusb1210_get_online() liberándola al final de la función. Tenga en cuenta que esto aún deja una ventana de ejecución teórica, pero evita el problema al modificar manualmente el controlador del chip del cargador durante el desarrollo.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-17 CVE Reserved
- 2024-05-20 CVE Published
- 2024-05-21 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/48969a5623ed918713552e2b4f9d391c89b5e838 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.18 < 6.1.90 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.1.90" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.18 < 6.6.30 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.6.30" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.18 < 6.8.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.8.9" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.18 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.9" | en |
Affected
| ||||||