CVE CyberSecurity Database News

CVE-2024-26995 - Critical Off-By-One Vulnerability in the Linux Kernel USB Type-C Power Delivery Manager Resolved

Poster -

In the world of Linux kernel security, a new vulnerability, coded as CVE-2024-26995, has been discovered and thankfully resolved before causing any significant damage. This security flaw was found within the USB Type-C Power Delivery Manager (TCPM), which is responsible for managing power delivery across USB Type-C connections. The full details of the vulnerability and its impact are outlined below, along with the code snippet that resolves the issue and links to the original references.

Vulnerability Details

The vulnerability in question is an off-by-one error that occurs because the variables nr_snk_pdo and nr_src_pdo are incorrectly added by one. This error can lead to unexpected behavior during power negotiations between USB Type-C devices, as demonstrated in the following scenarios:

* If the off-by-one overflow occurs when using "nr_snk_pdo" as the size of the local sink PDO array, a wrong RDO might be sent, potentially leading to unexpected power transfer (such as over voltage or over current) between devices.

* Similarly, if the off-by-one overflow takes place when using "nr_src_pdo" to set the Rp level while the port is in Source role, a wrong Rp level might be set and wrong Source PDOs will be sent to the partner port. This could potentially cause over current problems or port resets.

In summary, if left unresolved, this vulnerability could have potentially caused dangerous power issues with connected USB Type-C devices.

The following code snippet demonstrates the resolution of this vulnerability

- nr_pdos = tcpm->nr_snk_pdo + 1;
+ nr_pdos = tcpm->nr_snk_pdo;

signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211013060826.14151-1-hdegoede@redhat.com

By correctly updating the loop index and not adding one to the variables nr_snk_pdo and nr_src_pdo, this code snippet resolves the off-by-one error, ensuring that the power negotiation process works correctly and safely.

Original References

For more information and deeper understanding of the vulnerability and its resolution, refer to the following sources:

* Kernel Mailing List Discussion
* Linux Kernel Git Commit

Conclusion

CVE-2024-26995 demonstrates the importance of persistent vigilance when it comes to maintaining and securing essential components in the Linux kernel. The swift resolution of this vulnerability in the USB Type-C Power Delivery Manager ensures the safety and correct functionality of USB Type-C power negotiations between connected devices. Users and developers are advised to keep their systems updated regularly to stay protected against potential exploits and vulnerabilities.

Timeline

Published on: 05/01/2024 06:15:17 UTC
Last modified on: 05/29/2024 05:26:38 UTC