CVE-2024-46691: Linux Kernel USB Type-C Vulnerability Resolved
In the Linux kernel, a vulnerability affecting the USB Type-C communication was recently resolved. This specific vulnerability relates to the USB Type-C Interface and Connector System Software Interface (UCSI). The issue was primarily caused when the function ucsi_unregister() was called from an atomic context, which essentially leads to a non-sleepable section being moved under a spinlock. This post discusses the details of the vulnerability, provides a code snippet for a clearer understanding and offers links to the original references and sources for further investigation.
Vulnerability Details
The vulnerability in the Linux kernel was discovered as a result of the commit made in 9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping"). The commit moved the pmic_glink client list under a spinlock, which is accessed by the rpmsg/glink callback. The callback is invoked from the IRQ context, causing the ucsi_unregister() to be called from an atomic context instead of the intended sleepable context.
The impact of this vulnerability is a potential NULL pointer dereference, resulting from the communication link with the remote processor being terminated prior to the ucsi_unregister() function being executed. Consequently, this issue would lead to an error log appearing within the kernel log, as shown below:
ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.: failed to send UCSI write request: -5
Solution and Code Snippet
The solution to this issue involves scheduling the unregistration of the ucsi_unregister() function. By doing so, this can now operate after the remote processor has completed its tasks and the communication link is terminated. Furthermore, the pmic_glink_send() function was altered to include a check to avoid the NULL pointer dereference caused by the aforementioned issue. Here is a snippet of code showcasing the solution to this vulnerability:
// Schedule unregistration of ucsi_unregister()
schedule_work(&ucsic->ucsic_unregister);
With this solution in place, the Linux kernel has resolved the vulnerability in the USB Type-C communication, specifically pertaining to the UCSI implementation.
Original References and Sources
For further details regarding this vulnerability and the corresponding patches, the following resources provide extensive information:
1. Linux kernel Git commit: 9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping")
2. Linux kernel mailing list: PATCH to resolve the issue
By understanding and addressing this vulnerability, the Linux kernel continues to maintain its commitment to secure and stable system operation. It is essential for users, developers, and organizations to remain informed about security updates and patches to ensure their systems are protected against potential threats.
Timeline
Published on: 09/13/2024 06:15:13 UTC
Last modified on: 09/15/2024 17:57:45 UTC