CVE-2024-36932
thermal/debugfs: Prevent use-after-free from occurring after cdev removal
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Prevent use-after-free from occurring after cdev removal Since thermal_debug_cdev_remove() does not run under cdev->lock, it can
run in parallel with thermal_debug_cdev_state_update() and it may free
the struct thermal_debugfs object used by the latter after it has been
checked against NULL. If that happens, thermal_debug_cdev_state_update() will access memory
that has been freed already causing the kernel to crash. Address this by using cdev->lock in thermal_debug_cdev_remove() around
the cdev->debugfs value check (in case the same cdev is removed at the
same time in two different threads) and its reset to NULL. Cc :6.8+ <stable@vger.kernel.org> # 6.8+
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/debugfs: evita que se produzca use after free después de la eliminación de cdev. Dado que Thermal_debug_cdev_remove() no se ejecuta bajo cdev->lock, puede ejecutarse en paralelo con Thermal_debug_cdev_state_update() y puede liberar el objeto struct Thermal_debugfs utilizado por este último después de haberlo verificado con NULL. Si eso sucede, Thermal_debug_cdev_state_update() accederá a la memoria que ya ha sido liberada, lo que provocará que el kernel falle. Solucione esto usando cdev->lock en Thermal_debug_cdev_remove() alrededor de la verificación del valor de cdev->debugfs (en caso de que el mismo cdev se elimine al mismo tiempo en dos subprocesos diferentes) y se restablezca a NULL. CC :6.8+ # 6.8+
In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Prevent use-after-free from occurring after cdev removal Since thermal_debug_cdev_remove() does not run under cdev->lock, it can run in parallel with thermal_debug_cdev_state_update() and it may free the struct thermal_debugfs object used by the latter after it has been checked against NULL. If that happens, thermal_debug_cdev_state_update() will access memory that has been freed already causing the kernel to crash. Address this by using cdev->lock in thermal_debug_cdev_remove() around the cdev->debugfs value check (in case the same cdev is removed at the same time in two different threads) and its reset to NULL. Cc :6.8+ <stable@vger.kernel.org> # 6.8+
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-05-30 CVE Reserved
- 2024-05-30 CVE Published
- 2024-05-31 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/755113d7678681a137c330f7997ceb680adb644e | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://git.kernel.org/stable/c/c1279dee33369e2525f532364bb87207d23b9481 | 2024-05-17 | |
| https://git.kernel.org/stable/c/d351eb0ab04c3e8109895fc33250cebbce9c11da | 2024-04-26 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-36932 | 2024-11-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2284490 | 2024-11-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.8 < 6.8.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.8.10" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.8 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.9" | en |
Affected
| ||||||