CVE-2024-39495

greybus: Fix use-after-free bug in gb_interface_release due to race condition.

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

greybus: Fix use-after-free bug in gb_interface_release due to race condition.

In gb_interface_create, &intf->mode_switch_completion is bound with
gb_interface_mode_switch_work. Then it will be started by
gb_interface_request_mode_switch. Here is the relevant code.
if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
...
}

If we call gb_interface_release to make cleanup, there may be an
unfinished work. This function will call kfree to free the object
"intf". However, if gb_interface_mode_switch_work is scheduled to
run after kfree, it may cause use-after-free error as
gb_interface_mode_switch_work will use the object "intf".
The possible execution flow that may lead to the issue is as follows:

CPU0 CPU1

| gb_interface_create
| gb_interface_request_mode_switch
gb_interface_release |
kfree(intf) (free) |
| gb_interface_mode_switch_work
| mutex_lock(&intf->mutex) (use)

Fix it by canceling the work before kfree.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: greybus: corrigió el error de use-after-free en gb_interface_release debido a la condición de ejecución. En gb_interface_create, &intf->mode_switch_completion está vinculado con gb_interface_mode_switch_work. Luego lo iniciará gb_interface_request_mode_switch. Aquí está el código relevante. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } Si llamamos a gb_interface_release para realizar la limpieza, es posible que haya un trabajo sin terminar. Esta función llamará a kfree para liberar el objeto "intf". Sin embargo, si gb_interface_mode_switch_work está programado para ejecutarse después de kfree, puede causar un error de use-after-free ya que gb_interface_mode_switch_work usará el objeto "intf". El posible flujo de ejecución que puede provocar el problema es el siguiente: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (gratis) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (uso) Solucionarlo cancelando el trabajo antes de kfree.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-06-25 CVE Reserved
2024-07-12 CVE Published
2024-07-25 EPSS Updated
2024-08-20 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201	2024-07-05
https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83	2024-07-05
https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9	2024-07-05
https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc	2024-06-21
https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea	2024-06-21
https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445	2024-06-21
https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce	2024-05-04

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.279"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.221 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.221"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.162 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.162"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.95 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.35 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.9.6 Search vendor "Linux" for product "Linux Kernel" and version " < 6.9.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.10 Search vendor "Linux" for product "Linux Kernel" and version " < 6.10"		en		Affected