cve-2024-46691
Vulnerability from cvelistv5
Published
2024-09-13 05:29
Modified
2024-12-19 09:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: Move unregister out of atomic section
Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock
non-sleeping")' moved the pmic_glink client list under a spinlock, as it
is accessed by the rpmsg/glink callback, which in turn is invoked from
IRQ context.
This means that ucsi_unregister() is now called from atomic context,
which isn't feasible as it's expecting a sleepable context. An effort is
under way to get GLINK to invoke its callbacks in a sleepable context,
but until then lets schedule the unregistration.
A side effect of this is that ucsi_unregister() can now happen
after the remote processor, and thereby the communication link with it, is
gone. pmic_glink_send() is amended with a check to avoid the resulting NULL
pointer dereference.
This does however result in the user being informed about this error by
the following entry in the kernel log:
ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T15:06:52.719050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T15:07:06.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/pmic_glink.c",
"drivers/usb/typec/ucsi/ucsi_glink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "095b0001aefddcd9361097c971b7debc84e72714",
"status": "affected",
"version": "9329933699b32d467a99befa20415c4b2172389a",
"versionType": "git"
},
{
"lessThan": "11bb2ffb679399f99041540cf662409905179e3a",
"status": "affected",
"version": "9329933699b32d467a99befa20415c4b2172389a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/pmic_glink.c",
"drivers/usb/typec/ucsi/ucsi_glink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Move unregister out of atomic section\n\nCommit \u00279329933699b3 (\"soc: qcom: pmic_glink: Make client-lock\nnon-sleeping\")\u0027 moved the pmic_glink client list under a spinlock, as it\nis accessed by the rpmsg/glink callback, which in turn is invoked from\nIRQ context.\n\nThis means that ucsi_unregister() is now called from atomic context,\nwhich isn\u0027t feasible as it\u0027s expecting a sleepable context. An effort is\nunder way to get GLINK to invoke its callbacks in a sleepable context,\nbut until then lets schedule the unregistration.\n\nA side effect of this is that ucsi_unregister() can now happen\nafter the remote processor, and thereby the communication link with it, is\ngone. pmic_glink_send() is amended with a check to avoid the resulting NULL\npointer dereference.\nThis does however result in the user being informed about this error by\nthe following entry in the kernel log:\n\n ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5"
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T09:21:04.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/095b0001aefddcd9361097c971b7debc84e72714"
},
{
"url": "https://git.kernel.org/stable/c/11bb2ffb679399f99041540cf662409905179e3a"
}
],
"title": "usb: typec: ucsi: Move unregister out of atomic section",
"x_generator": {
"engine": "bippy-5f407fcff5a0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46691",
"datePublished": "2024-09-13T05:29:20.991Z",
"dateReserved": "2024-09-11T15:12:18.249Z",
"dateUpdated": "2024-12-19T09:21:04.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-46691\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-13T06:15:13.960\",\"lastModified\":\"2024-09-13T16:52:21.057\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: ucsi: Move unregister out of atomic section\\n\\nCommit \u00279329933699b3 (\\\"soc: qcom: pmic_glink: Make client-lock\\nnon-sleeping\\\")\u0027 moved the pmic_glink client list under a spinlock, as it\\nis accessed by the rpmsg/glink callback, which in turn is invoked from\\nIRQ context.\\n\\nThis means that ucsi_unregister() is now called from atomic context,\\nwhich isn\u0027t feasible as it\u0027s expecting a sleepable context. An effort is\\nunder way to get GLINK to invoke its callbacks in a sleepable context,\\nbut until then lets schedule the unregistration.\\n\\nA side effect of this is that ucsi_unregister() can now happen\\nafter the remote processor, and thereby the communication link with it, is\\ngone. pmic_glink_send() is amended with a check to avoid the resulting NULL\\npointer dereference.\\nThis does however result in the user being informed about this error by\\nthe following entry in the kernel log:\\n\\n ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: typec: ucsi: Move unregister out of atomic section El Commit \u00279329933699b3 (\\\"soc: qcom: pmic_glink: Make client-lock non-sleeping\\\")\u0027 movi\u00f3 la lista de clientes pmic_glink bajo un spinlock, ya que es accedida por la devoluci\u00f3n de llamada rpmsg/glink, que a su vez se invoca desde el contexto IRQ. Esto significa que ucsi_unregister() ahora se llama desde el contexto at\u00f3mico, lo que no es factible ya que espera un contexto durmiente. Se est\u00e1 realizando un esfuerzo para lograr que GLINK invoque sus devoluciones de llamada en un contexto durmiente, pero hasta entonces, programemos la anulaci\u00f3n del registro. Un efecto secundario de esto es que ucsi_unregister() ahora puede suceder despu\u00e9s de que el procesador remoto, y por lo tanto el enlace de comunicaci\u00f3n con \u00e9l, se haya ido. pmic_glink_send() se modifica con una verificaci\u00f3n para evitar la desreferencia de puntero NULL resultante. Sin embargo, esto hace que el usuario sea informado sobre este error mediante la siguiente entrada en el registro del n\u00facleo: ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: no se pudo enviar la solicitud de escritura UCSI: -5\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.10.8\",\"matchCriteriaId\":\"2CE718D7-41ED-4D4A-AED5-326C3D4383FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/095b0001aefddcd9361097c971b7debc84e72714\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/11bb2ffb679399f99041540cf662409905179e3a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.