cve-2024-46693
Vulnerability from cvelistv5
Published
2024-09-13 05:29
Modified
2024-12-19 09:21
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: pmic_glink: Fix race during initialization
As pointed out by Stephen Boyd it is possible that during initialization
of the pmic_glink child drivers, the protection-domain notifiers fires,
and the associated work is scheduled, before the client registration
returns and as a result the local "client" pointer has been initialized.
The outcome of this is a NULL pointer dereference as the "client"
pointer is blindly dereferenced.
Timeline provided by Stephen:
CPU0 CPU1
---- ----
ucsi->client = NULL;
devm_pmic_glink_register_client()
client->pdr_notify(client->priv, pg->client_state)
pmic_glink_ucsi_pdr_notify()
schedule_work(&ucsi->register_work)
<schedule away>
pmic_glink_ucsi_register()
ucsi_register()
pmic_glink_ucsi_read_version()
pmic_glink_ucsi_read()
pmic_glink_ucsi_read()
pmic_glink_send(ucsi->client)
<client is NULL BAD>
ucsi->client = client // Too late!
This code is identical across the altmode, battery manager and usci
child drivers.
Resolve this by splitting the allocation of the "client" object and the
registration thereof into two operations.
This only happens if the protection domain registry is populated at the
time of registration, which by the introduction of commit '1ebcde047c54
("soc: qcom: add pd-mapper implementation")' became much more likely.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T15:06:19.795403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T15:06:34.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/qcom_battmgr.c",
"drivers/soc/qcom/pmic_glink.c",
"drivers/soc/qcom/pmic_glink_altmode.c",
"drivers/usb/typec/ucsi/ucsi_glink.c",
"include/linux/soc/qcom/pmic_glink.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1efdbf5323c9360e05066049b97414405e94e087",
"status": "affected",
"version": "58ef4ece1e41ac525db3e79529909683325d85df",
"versionType": "git"
},
{
"lessThan": "943b0e7cc646a624bb20a68080f8f1a4a55df41c",
"status": "affected",
"version": "58ef4ece1e41ac525db3e79529909683325d85df",
"versionType": "git"
},
{
"lessThan": "3568affcddd68743e25aa3ec1647d9b82797757b",
"status": "affected",
"version": "58ef4ece1e41ac525db3e79529909683325d85df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/qcom_battmgr.c",
"drivers/soc/qcom/pmic_glink.c",
"drivers/soc/qcom/pmic_glink_altmode.c",
"drivers/usb/typec/ucsi/ucsi_glink.c",
"include/linux/soc/qcom/pmic_glink.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink: Fix race during initialization\n\nAs pointed out by Stephen Boyd it is possible that during initialization\nof the pmic_glink child drivers, the protection-domain notifiers fires,\nand the associated work is scheduled, before the client registration\nreturns and as a result the local \"client\" pointer has been initialized.\n\nThe outcome of this is a NULL pointer dereference as the \"client\"\npointer is blindly dereferenced.\n\nTimeline provided by Stephen:\n CPU0 CPU1\n ---- ----\n ucsi-\u003eclient = NULL;\n devm_pmic_glink_register_client()\n client-\u003epdr_notify(client-\u003epriv, pg-\u003eclient_state)\n pmic_glink_ucsi_pdr_notify()\n schedule_work(\u0026ucsi-\u003eregister_work)\n \u003cschedule away\u003e\n pmic_glink_ucsi_register()\n ucsi_register()\n pmic_glink_ucsi_read_version()\n pmic_glink_ucsi_read()\n pmic_glink_ucsi_read()\n pmic_glink_send(ucsi-\u003eclient)\n \u003cclient is NULL BAD\u003e\n ucsi-\u003eclient = client // Too late!\n\nThis code is identical across the altmode, battery manager and usci\nchild drivers.\n\nResolve this by splitting the allocation of the \"client\" object and the\nregistration thereof into two operations.\n\nThis only happens if the protection domain registry is populated at the\ntime of registration, which by the introduction of commit \u00271ebcde047c54\n(\"soc: qcom: add pd-mapper implementation\")\u0027 became much more likely."
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T09:21:06.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1efdbf5323c9360e05066049b97414405e94e087"
},
{
"url": "https://git.kernel.org/stable/c/943b0e7cc646a624bb20a68080f8f1a4a55df41c"
},
{
"url": "https://git.kernel.org/stable/c/3568affcddd68743e25aa3ec1647d9b82797757b"
}
],
"title": "soc: qcom: pmic_glink: Fix race during initialization",
"x_generator": {
"engine": "bippy-5f407fcff5a0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46693",
"datePublished": "2024-09-13T05:29:22.260Z",
"dateReserved": "2024-09-11T15:12:18.249Z",
"dateUpdated": "2024-12-19T09:21:06.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-46693\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-13T06:15:14.140\",\"lastModified\":\"2024-09-13T16:52:41.270\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: qcom: pmic_glink: Fix race during initialization\\n\\nAs pointed out by Stephen Boyd it is possible that during initialization\\nof the pmic_glink child drivers, the protection-domain notifiers fires,\\nand the associated work is scheduled, before the client registration\\nreturns and as a result the local \\\"client\\\" pointer has been initialized.\\n\\nThe outcome of this is a NULL pointer dereference as the \\\"client\\\"\\npointer is blindly dereferenced.\\n\\nTimeline provided by Stephen:\\n CPU0 CPU1\\n ---- ----\\n ucsi-\u003eclient = NULL;\\n devm_pmic_glink_register_client()\\n client-\u003epdr_notify(client-\u003epriv, pg-\u003eclient_state)\\n pmic_glink_ucsi_pdr_notify()\\n schedule_work(\u0026ucsi-\u003eregister_work)\\n \u003cschedule away\u003e\\n pmic_glink_ucsi_register()\\n ucsi_register()\\n pmic_glink_ucsi_read_version()\\n pmic_glink_ucsi_read()\\n pmic_glink_ucsi_read()\\n pmic_glink_send(ucsi-\u003eclient)\\n \u003cclient is NULL BAD\u003e\\n ucsi-\u003eclient = client // Too late!\\n\\nThis code is identical across the altmode, battery manager and usci\\nchild drivers.\\n\\nResolve this by splitting the allocation of the \\\"client\\\" object and the\\nregistration thereof into two operations.\\n\\nThis only happens if the protection domain registry is populated at the\\ntime of registration, which by the introduction of commit \u00271ebcde047c54\\n(\\\"soc: qcom: add pd-mapper implementation\\\")\u0027 became much more likely.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soc: qcom: pmic_glink: Correcci\u00f3n de la ejecuci\u00f3n durante la inicializaci\u00f3n Como se\u00f1al\u00f3 Stephen Boyd, es posible que durante la inicializaci\u00f3n de los controladores secundarios pmic_glink, se activen los notificadores del dominio de protecci\u00f3n y se programe el trabajo asociado, antes de que vuelva el registro del cliente y, como resultado, se haya inicializado el puntero \\\"cliente\\\" local. El resultado de esto es una desreferencia de puntero NULL ya que el puntero \\\"cliente\\\" se desreferencia ciegamente. Cronolog\u00eda proporcionada por Stephen: CPU0 CPU1 ---- ---- ucsi-\u0026gt;client = NULL; devm_pmic_glink_register_client() client-\u0026gt;pdr_notify(client-\u0026gt;priv, pg-\u0026gt;client_state) pmic_glink_ucsi_pdr_notify() schedule_work(\u0026amp;ucsi-\u0026gt;register_work) pmic_glink_ucsi_register() ucsi_register() pmic_glink_ucsi_read_version() pmic_glink_ucsi_read() pmic_glink_ucsi_read() pmic_glink_send(ucsi-\u0026gt;client) ucsi-\u0026gt;client = client // \u00a1Demasiado tarde! Este c\u00f3digo es id\u00e9ntico en los controladores secundarios altmode, battery manager y usci. Resuelva esto dividiendo la asignaci\u00f3n del objeto \\\"cliente\\\" y su registro en dos operaciones. Esto solo sucede si el registro del dominio de protecci\u00f3n se completa al momento del registro, lo que se volvi\u00f3 mucho m\u00e1s probable con la introducci\u00f3n del commit \u00271ebcde047c54 (\\\"soc: qcom: add pd-mapper implementation\\\").\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.3\",\"versionEndExcluding\":\"6.6.49\",\"matchCriteriaId\":\"317A2689-BFEC-4C68-A8FF-A961C72445FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.8\",\"matchCriteriaId\":\"1B5D46C3-56A4-4380-9309-27BF73DF29A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1efdbf5323c9360e05066049b97414405e94e087\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3568affcddd68743e25aa3ec1647d9b82797757b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/943b0e7cc646a624bb20a68080f8f1a4a55df41c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.