fkie_cve-2025-68323
Vulnerability from fkie_nvd
Published
2025-12-18 15:16
Modified
2025-12-19 18:00
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: fix use-after-free caused by uec->work The delayed work uec->work is scheduled in gaokun_ucsi_probe() but never properly canceled in gaokun_ucsi_remove(). This creates use-after-free scenarios where the ucsi and gaokun_ucsi structure are freed after ucsi_destroy() completes execution, while the gaokun_ucsi_register_worker() might be either currently executing or still pending in the work queue. The already-freed gaokun_ucsi or ucsi structure may then be accessed. Furthermore, the race window is 3 seconds, which is sufficiently long to make this bug easily reproducible. The following is the trace captured by KASAN: ================================================================== BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630 Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0 ... Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x78/0x90 print_report+0x114/0x580 kasan_report+0xa4/0xf0 __asan_report_store8_noabort+0x20/0x2c __run_timers+0x5ec/0x630 run_timer_softirq+0xe8/0x1cc handle_softirqs+0x294/0x720 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x30/0x48 do_softirq_own_stack+0x1c/0x28 __irq_exit_rcu+0x27c/0x364 irq_exit_rcu+0x10/0x1c el1_interrupt+0x40/0x60 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 arch_local_irq_enable+0x4/0x8 (P) do_idle+0x334/0x458 cpu_startup_entry+0x60/0x70 rest_init+0x158/0x174 start_kernel+0x2f8/0x394 __primary_switched+0x8c/0x94 Allocated by task 72 on cpu 0 at 27.510341s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c kasan_save_alloc_info+0x40/0x54 __kasan_kmalloc+0xa0/0xb8 __kmalloc_node_track_caller_noprof+0x1c0/0x588 devm_kmalloc+0x7c/0x1c8 gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8 really_probe+0x17c/0x5b8 __driver_probe_device+0x158/0x2c4 driver_probe_device+0x10c/0x264 __device_attach_driver+0x168/0x2d0 bus_for_each_drv+0x100/0x188 __device_attach+0x174/0x368 device_initial_probe+0x14/0x20 bus_probe_device+0x120/0x150 device_add+0xb3c/0x10fc __auxiliary_device_add+0x88/0x130 ... Freed by task 73 on cpu 1 at 28.910627s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c __kasan_save_free_info+0x4c/0x74 __kasan_slab_free+0x60/0x8c kfree+0xd4/0x410 devres_release_all+0x140/0x1f0 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x344/0x460 device_release_driver+0x18/0x24 bus_remove_device+0x198/0x274 device_del+0x310/0xa84 ... The buggy address belongs to the object at ffff00000ec28c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 200 bytes inside of freed 512-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) page_type: f5(slab) raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================ ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: fix use-after-free caused by uec-\u003ework\n\nThe delayed work uec-\u003ework is scheduled in gaokun_ucsi_probe()\nbut never properly canceled in gaokun_ucsi_remove(). This creates\nuse-after-free scenarios where the ucsi and gaokun_ucsi structure\nare freed after ucsi_destroy() completes execution, while the\ngaokun_ucsi_register_worker() might be either currently executing\nor still pending in the work queue. The already-freed gaokun_ucsi\nor ucsi structure may then be accessed.\n\nFurthermore, the race window is 3 seconds, which is sufficiently\nlong to make this bug easily reproducible. The following is the\ntrace captured by KASAN:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630\nWrite of size 8 at addr ffff00000ec28cc8 by task swapper/0/0\n...\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x78/0x90\n print_report+0x114/0x580\n kasan_report+0xa4/0xf0\n __asan_report_store8_noabort+0x20/0x2c\n __run_timers+0x5ec/0x630\n run_timer_softirq+0xe8/0x1cc\n handle_softirqs+0x294/0x720\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x30/0x48\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x27c/0x364\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x40/0x60\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n arch_local_irq_enable+0x4/0x8 (P)\n do_idle+0x334/0x458\n cpu_startup_entry+0x60/0x70\n rest_init+0x158/0x174\n start_kernel+0x2f8/0x394\n __primary_switched+0x8c/0x94\n\nAllocated by task 72 on cpu 0 at 27.510341s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n kasan_save_alloc_info+0x40/0x54\n __kasan_kmalloc+0xa0/0xb8\n __kmalloc_node_track_caller_noprof+0x1c0/0x588\n devm_kmalloc+0x7c/0x1c8\n gaokun_ucsi_probe+0xa0/0x840  auxiliary_bus_probe+0x94/0xf8\n really_probe+0x17c/0x5b8\n __driver_probe_device+0x158/0x2c4\n driver_probe_device+0x10c/0x264\n __device_attach_driver+0x168/0x2d0\n bus_for_each_drv+0x100/0x188\n __device_attach+0x174/0x368\n device_initial_probe+0x14/0x20\n bus_probe_device+0x120/0x150\n device_add+0xb3c/0x10fc\n __auxiliary_device_add+0x88/0x130\n...\n\nFreed by task 73 on cpu 1 at 28.910627s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n __kasan_save_free_info+0x4c/0x74\n __kasan_slab_free+0x60/0x8c\n kfree+0xd4/0x410\n devres_release_all+0x140/0x1f0\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x344/0x460\n device_release_driver+0x18/0x24\n bus_remove_device+0x198/0x274\n device_del+0x310/0xa84\n...\n\nThe buggy address belongs to the object at ffff00000ec28c00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 200 bytes inside of\n freed 512-byte region\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28\nhead: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)\npage_type: f5(slab)\nraw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nhead: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                              ^\n ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n================================================================\n---truncated---"
    }
  ],
  "id": "CVE-2025-68323",
  "lastModified": "2025-12-19T18:00:54.283",
  "metrics": {},
  "published": "2025-12-18T15:16:06.103",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.