Linux kernel tcpm doublefree CVE-2024-26932 fix
CVE-2024-26932 Published on May 1, 2024
usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()
When unregister pd capabilitie in tcpm, KASAN will capture below double
-free issue. The root cause is the same capabilitiy will be kfreed twice,
the first time is kfreed by pd_capabilities_release() and the second time
is explicitly kfreed by tcpm_port_unregister_pd().
[ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc
[ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10
[ 4.001206]
[ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53
[ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)
[ 4.017569] Workqueue: events_unbound deferred_probe_work_func
[ 4.023456] Call trace:
[ 4.025920] dump_backtrace+0x94/0xec
[ 4.029629] show_stack+0x18/0x24
[ 4.032974] dump_stack_lvl+0x78/0x90
[ 4.036675] print_report+0xfc/0x5c0
[ 4.040289] kasan_report_invalid_free+0xa0/0xc0
[ 4.044937] __kasan_slab_free+0x124/0x154
[ 4.049072] kfree+0xb4/0x1e8
[ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc
[ 4.056725] tcpm_register_port+0x1dd0/0x2558
[ 4.061121] tcpci_register_port+0x420/0x71c
[ 4.065430] tcpci_probe+0x118/0x2e0
To fix the issue, this will remove kree() from tcpm_port_unregister_pd().
Vulnerability Analysis
CVE-2024-26932 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Double-free Vulnerability?
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.
CVE-2024-26932 has been classified to as a Double-free vulnerability or weakness.
Products Associated with CVE-2024-26932
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Linux:- Version cd099cde4ed264403b434d8344994f97ac2a4349 and below 242e425ed580b2f4dbcb86c8fc03a410a4084a69 is affected.
- Version cd099cde4ed264403b434d8344994f97ac2a4349 and below b63f90487bdf93a4223ce7853d14717e9d452856 is affected.
- Version 6.8 is affected.
- Before 6.8 is unaffected.
- Version 6.8.3, <= 6.8.* is unaffected.
- Version 6.9, <= * is unaffected.
- Version cd099cde4ed2 is affected.
- Version 6.8 is affected.
- Version 0 is unaffected.
- Version 6.8.3 is unaffected.
- Version 6.9 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.