CVE-2024-26932: Resolving Double-Free Vulnerability in the Linux Kernel (usb: typec: tcpm)

In the Linux kernel, a vulnerability related to double-free issues has been resolved. This vulnerability is specifically related to the tcpm (USB Type-C Port Manager) while unregistering PD (Power Delivery) capabilities. The details of the vulnerability and the solution implemented are described below.

Background on the Vulnerability

When unregistering PD capabilities in tcpm, the KASAN (Kernel Address Sanitizer) captures a double-free issue. A double-free issue occurs when the same memory block is deallocated twice, causing potential security risks and data corruption. In this case, the same capability is freed twice, the first time by the pd_capabilities_release() function and the second time explicitly by the tcpm_port_unregister_pd() function.

The issue manifests itself in the following KASAN output

[    3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+x1a4/x3dc
[    3.995001] Free of addr ffff0008164d300 by task kworker/u16:/10
[    4.001206]
[    4.002712] CPU: 2 PID: 10 Comm: kworker/u16: Not tainted 6.8.-rc5-next-20240220-05616-g52728c567a55 #53
[    4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)
[    4.017569] Workqueue: events_unbound deferred_probe_work_func
[    4.023456] Call trace:
[    4.025920]  dump_backtrace+x94/xec
[    4.029629]  show_stack+x18/x24
[    4.032974]  dump_stack_lvl+x78/x90
[    4.036675]  print_report+xfc/x5c
[    4.040289]  kasan_report_invalid_free+xa/xc
[    4.044937]  __kasan_slab_free+x124/x154
[    4.049072]  kfree+xb4/x1e8
[    4.052069]  tcpm_port_unregister_pd+x1a4/x3dc
[    4.056725]  tcpm_register_port+x1dd/x2558
[    4.061121]  tcpci_register_port+x420/x71c
[    4.065430]  tcpci_probe+x118/x2e

Solution

To resolve the double-free issue, the kree() function call has been removed from the tcpm_port_unregister_pd() function. This ensures that the capability is only freed once by the pd_capabilities_release() function, eliminating the possibility of double-frees in this context.

References

- Linux Kernel Mailing List post discussing the issue and fix
- Linux Kernel commit implementing the fix

Exploit Details

While the impact of this particular vulnerability on the overall system security and stability might not be severe, it illustrates the importance of proper memory management in kernel-level code. Exploiting a double-free issue may lead to unexpected behavior, data corruption, or even allow attackers to execute arbitrary code on the target system. In this case, the fix provided mitigates the risk by ensuring that the capability is only freed once during the PD capabilities unregistering process in the tcpm.

Conclusion

The CVE-2024-26932 vulnerability, a double-free issue in the Linux kernel's USB Type-C Port Manager, has been resolved by removing an unnecessary kfree() function call from the tcpm_port_unregister_pd() function. This fix ensures that the PD capabilities are only deallocated once, preventing potential security risks and data corruption caused by double-free issues.

Timeline

Published on: 05/01/2024 06:15:07 UTC
Last modified on: 07/03/2024 01:50:02 UTC