CVE-2024-26653: Linux Kernel USB Double Free Vulnerability Fixed with Auxiliary Device Cleanup

A vulnerability in the Linux kernel's USB subsystem has recently been identified and fixed. This vulnerability, identified as CVE-2024-26653, is a double free bug in the error handling path of the ljca (Linux Journaling Client Application) driver. In this post, we will discuss the details of the vulnerability, the fix, and provide code snippets for a better understanding of the issue.

Description of Vulnerability

The issue occurs when the auxiliary_device_add() function returns an error, leading to the call of auxiliary_device_uninit(). The callback function ljca_auxdev_release then calls kfree(auxdev->dev.platform_data) to free the parameter data of the ljca_new_client_device function. However, the callers of ljca_new_client_device should not call kfree() again in the error handling path to free the platform data. This results in a double free vulnerability, which could potentially be exploited by an attacker.

The Fix

To fix this issue, the redundant kfree() calls in all callers have been cleaned up. Additionally, kfree() has been added to pass in platform_data on errors that occur before auxiliary_device_init() succeeds. This effectively prevents the double free vulnerability from being exploited.

Original Reference

Details about the vulnerability and its fix can be found on the Linux kernel repository. The specific commit that resolves this issue can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be6a745a5ff8c83a02abc110e57b4a9ee6604b33

Code Snippet

Prior to the fix, the faulty code in the error handling path of ljca_new_client_device() looked like this:

if (ret) {
    kfree(platform_data);
    put_device(&client->auxdev.dev);
}

After the fix has been implemented, the corrected code now looks like this

if (ret) {
    put_device(&client->auxdev.dev);
}

This change removes the unnecessary kfree() call that resulted in the double free vulnerability.

Exploit Details

With the removal of the redundant kfree() call in the error handling path, an attacker can no longer exploit the double free vulnerability. Although no known exploits for this vulnerability have been reported, the potential for exploitation underscores the importance of keeping the Linux kernel secure and up-to-date.

Conclusion

CVE-2024-26653 was a double free vulnerability in the Linux kernel's USB subsystem specifically related to the ljca driver's error handling path. The issue has been resolved by cleaning up redundant kfree() calls and adding kfree() to pass in platform_data on errors that occur before auxiliary_device_init() succeeds. To ensure the security of your systems, it is recommended to update your Linux kernel with the latest bug fixes and security patches.

Timeline

Published on: 04/01/2024 09:15:51 UTC
Last modified on: 05/29/2024 05:20:12 UTC