// For flags

CVE-2024-36899

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

Severity Score

6.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

The use-after-free issue occurs as follows: when the GPIO chip device file
is being closed by invoking gpio_chrdev_release(), watched_lines is freed
by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
chain failed due to waiting write rwsem. Additionally, one of the GPIO
chip's lines is also in the release process and holds the notifier chain's
read rwsem. Consequently, a race condition leads to the use-after-free of
watched_lines.

Here is the typical stack when issue happened:

[free]
gpio_chrdev_release()
--> bitmap_free(cdev->watched_lines) <-- freed
--> blocking_notifier_chain_unregister()
--> down_write(&nh->rwsem) <-- waiting rwsem
--> __down_write_common()
--> rwsem_down_write_slowpath()
--> schedule_preempt_disabled()
--> schedule()

[use]
st54spi_gpio_dev_release()
--> gpio_free()
--> gpiod_free()
--> gpiod_free_commit()
--> gpiod_line_state_notify()
--> blocking_notifier_call_chain()
--> down_read(&nh->rwsem); <-- held rwsem
--> notifier_call_chain()
--> lineinfo_changed_notify()
--> test_bit(xxxx, cdev->watched_lines) <-- use after free

The side effect of the use-after-free issue is that a GPIO line event is
being generated for userspace where it shouldn't. However, since the chrdev
is being closed, userspace won't have the chance to read that event anyway.

To fix the issue, call the bitmap_free() function after the unregistration
of lineinfo_changed_nb notifier chain.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gpiolib: cdev: corrige el use after free en lineinfo_changed_notify El problema de use after free ocurre de la siguiente manera: cuando el archivo del dispositivo del chip GPIO se cierra al invocar gpio_chrdev_release(), las líneas vigiladas son liberado por bitmap_free(), pero la cancelación del registro de la cadena de notificador lineinfo_changed_nb falló debido a la espera de escritura de rwsem. Además, una de las líneas del chip GPIO también está en proceso de lanzamiento y contiene el rwsem de lectura de la cadena notificadora. En consecuencia, una condición de ejecución conduce al use after free de watched_lines. Aquí está la pila típica cuando ocurrió el problema: [free] gpio_chrdev_release() --&gt; bitmap_free(cdev-&gt;watched_lines) &lt;-- freed --&gt; blocking_notifier_chain_unregister() --&gt; down_write(&amp;nh-&gt;rwsem) &lt;-- waiting rwsem --&gt; __down_write_common() --&gt; rwsem_down_write_slowpath() --&gt; schedule_preempt_disabled() --&gt; schedule() [use] st54spi_gpio_dev_release() --&gt; gpio_free() --&gt; gpiod_free() --&gt; gpiod_free_commit() --&gt; gpiod_line_state_notify() --&gt; blocking_notifier_call_chain() --&gt; down_read(&amp;nh-&gt;rwsem); &lt;-- held rwsem --&gt; notifier_call_chain() --&gt; lineinfo_changed_notify() --&gt; test_bit(xxxx, cdev-&gt;watched_lines) &lt;-- use after free El efecto secundario del problema de use after free es que un GPIO El evento de línea se está generando para el espacio de usuario donde no debería. Sin embargo, dado que chrdev se cerrará, el espacio de usuario no tendrá la oportunidad de leer ese evento de todos modos. Para solucionar el problema, llame a la función bitmap_free() después de cancelar el registro de la cadena de notificadores lineinfo_changed_nb.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-30 CVE Reserved
  • 2024-05-30 CVE Published
  • 2024-05-31 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-416: Use After Free
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.7 < 6.6.31
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.6.31"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.7 < 6.8.10
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.8.10"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.7 < 6.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.9"
en
Affected