CVE-2024-36932

thermal/debugfs: Prevent use-after-free from occurring after cdev removal

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

thermal/debugfs: Prevent use-after-free from occurring after cdev removal

Since thermal_debug_cdev_remove() does not run under cdev->lock, it can
run in parallel with thermal_debug_cdev_state_update() and it may free
the struct thermal_debugfs object used by the latter after it has been
checked against NULL.

If that happens, thermal_debug_cdev_state_update() will access memory
that has been freed already causing the kernel to crash.

Address this by using cdev->lock in thermal_debug_cdev_remove() around
the cdev->debugfs value check (in case the same cdev is removed at the
same time in two different threads) and its reset to NULL.

Cc :6.8+ <stable@vger.kernel.org> # 6.8+

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/debugfs: evita que se produzca use after free después de la eliminación de cdev. Dado que Thermal_debug_cdev_remove() no se ejecuta bajo cdev->lock, puede ejecutarse en paralelo con Thermal_debug_cdev_state_update() y puede liberar el objeto struct Thermal_debugfs utilizado por este último después de haberlo verificado con NULL. Si eso sucede, Thermal_debug_cdev_state_update() accederá a la memoria que ya ha sido liberada, lo que provocará que el kernel falle. Solucione esto usando cdev->lock en Thermal_debug_cdev_remove() alrededor de la verificación del valor de cdev->debugfs (en caso de que el mismo cdev se elimine al mismo tiempo en dos subprocesos diferentes) y se restablezca a NULL. CC :6.8+ # 6.8+

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-30 CVE Reserved
2024-05-30 CVE Published
2024-05-31 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (3)

URL	Tag	Source
https://git.kernel.org/stable/c/755113d7678681a137c330f7997ceb680adb644e	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/c1279dee33369e2525f532364bb87207d23b9481	2024-05-17
https://git.kernel.org/stable/c/d351eb0ab04c3e8109895fc33250cebbce9c11da	2024-04-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.8.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.8.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.9"		en		Affected