CVE-2024-26996

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error When ncm function is working and then stop usb0 interface for link down, eth_stop() is called. At this piont, accidentally if usb transport error should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled. After that, ncm_disable() is called to disable for ncm unbind but gether_disconnect() is never called since 'in_ep' is not enabled. As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL. And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object. Therefore, once usb0 interface is up and eth_start_xmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory. [function unlink via configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> error happens in usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() since ncm->port.in_ep->enabled is false. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm [function link via configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93	Patch
https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e	Patch
https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7	Patch
https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca	Patch
https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3	Patch
https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93	Patch
https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e	Patch
https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7	Patch
https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca	Patch
https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc4::::::

History

23 Dec 2024, 19:49

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93 -~~	() https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93 - Patch
References	~~() https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e -~~	() https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e - Patch
References	~~() https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7 -~~	() https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7 - Patch
References	~~() https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca -~~	() https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca - Patch
References	~~() https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3 -~~	() https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3 - Patch
CPE		cpe:2.3:o:linux:linux_kernel:6.9:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc2:::::: cpe:2.3:o:linux:linux_kernel::::::::
First Time		Linux linux Kernel Linux
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-416

21 Nov 2024, 09:03

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93 -~~	() https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93 -
References	~~() https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e -~~	() https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e -
References	~~() https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7 -~~	() https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7 -
References	~~() https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca -~~	() https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca -
References	~~() https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3 -~~	() https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3 -

13 May 2024, 08:15

Type	Values Removed	Values Added
References	~~{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~ ~~{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~ ~~{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~

03 May 2024, 03:16

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/ -
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: f_ncm: corrige el objeto UAF ncm al volver a vincularlo después del error de transporte usb ep Cuando la función ncm está funcionando y luego detiene la interfaz usb0 para desconectar el enlace, se llama a eth_stop() . En este punto, accidentalmente, si ocurre un error de transporte USB en usb_ep_enable(), es posible que 'in_ep' y/o 'out_ep' no estén habilitados. Después de eso, se llama a ncm_disable() para deshabilitar ncm unbind, pero nunca se llama a gether_disconnect() ya que 'in_ep' no está habilitado. Como resultado, el objeto ncm se libera en ncm unbind pero 'dev->port_usb' asociado a 'ncm->port' no es NULL. Y cuando ncm se vincula nuevamente para recuperar netdev, el objeto ncm se reasigna pero la interfaz usb0 ya está asociada al objeto ncm lanzado anteriormente. Por lo tanto, una vez que la interfaz usb0 está activa y se llama a eth_start_xmit(), el objeto ncm liberado se desreferencia y podría causar memoria de use-after-free. [función de desvinculación a través de configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> el error ocurre en usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() ya que ncm->port.in_ep->enabled es falso. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- ncm liberado [enlace de función a través de configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: cm enlazar ncm=ffffff9ac4f8a000 NCM: ncm_set_alt : ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- ncm usb0 lanzado anteriormente: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() No se puede manejar el kernel solicitud de paginación en la dirección virtual dead00000000014f Este parche soluciona el problema verificando si 'ncm->netdev' no es NULL en ncm_disable() para llamar a gether_disconnect() para desasociar 'dev->port_usb'. Es más razonable marcar 'ncm->netdev' para llamar a gether_connect/disconnect en lugar de marcar 'ncm->port.in_ep->enabled' ya que es posible que no esté habilitado pero que se pueda establecer la conexión conjunta.

01 May 2024, 13:02

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-01 06:15

Updated : 2024-12-23 19:49

NVD link : CVE-2024-26996

Mitre link : CVE-2024-26996

CVE.ORG link : CVE-2024-26996

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2024-26996", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-05-01T06:15:17.480", "references": [{"url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: f_ncm: corrige el objeto UAF ncm al volver a vincularlo despu\u00e9s del error de transporte usb ep Cuando la funci\u00f3n ncm est\u00e1 funcionando y luego detiene la interfaz usb0 para desconectar el enlace, se llama a eth_stop() . En este punto, accidentalmente, si ocurre un error de transporte USB en usb_ep_enable(), es posible que 'in_ep' y/o 'out_ep' no est\u00e9n habilitados. Despu\u00e9s de eso, se llama a ncm_disable() para deshabilitar ncm unbind, pero nunca se llama a gether_disconnect() ya que 'in_ep' no est\u00e1 habilitado. Como resultado, el objeto ncm se libera en ncm unbind pero 'dev->port_usb' asociado a 'ncm->port' no es NULL. Y cuando ncm se vincula nuevamente para recuperar netdev, el objeto ncm se reasigna pero la interfaz usb0 ya est\u00e1 asociada al objeto ncm lanzado anteriormente. Por lo tanto, una vez que la interfaz usb0 est\u00e1 activa y se llama a eth_start_xmit(), el objeto ncm liberado se desreferencia y podr\u00eda causar memoria de use-after-free. [funci\u00f3n de desvinculaci\u00f3n a trav\u00e9s de configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> el error ocurre en usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() ya que ncm->port.in_ep->enabled es falso. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- ncm liberado [enlace de funci\u00f3n a trav\u00e9s de configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: cm enlazar ncm=ffffff9ac4f8a000 NCM: ncm_set_alt : ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- ncm usb0 lanzado anteriormente: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() No se puede manejar el kernel solicitud de paginaci\u00f3n en la direcci\u00f3n virtual dead00000000014f Este parche soluciona el problema verificando si 'ncm->netdev' no es NULL en ncm_disable() para llamar a gether_disconnect() para desasociar 'dev->port_usb'. Es m\u00e1s razonable marcar 'ncm->netdev' para llamar a gether_connect/disconnect en lugar de marcar 'ncm->port.in_ep->enabled' ya que es posible que no est\u00e9 habilitado pero que se pueda establecer la conexi\u00f3n conjunta."}], "lastModified": "2024-12-23T19:49:49.543", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB2F4D25-B857-48D0-BBDF-5EEEB37BE055", "versionEndExcluding": "5.15.157"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B665F958-644E-434D-A78D-CCD1628D1774", "versionEndExcluding": "6.1.88", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0999E154-1E68-41FA-8DE3-9A735E382224", "versionEndExcluding": "6.6.29", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "673B3328-389D-41A4-9617-669298635262", "versionEndExcluding": "6.8.8", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52048DDA-FC5A-4363-95A0-A6357B4D7F8C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A06B2CCF-3F43-4FA9-8773-C83C3F5764B2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

7.8 /10