{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-46693", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-09-11T15:12:18.249Z", "datePublished": "2024-09-13T05:29:22.260Z", "dateUpdated": "2024-09-15T17:57:47.661Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-09-15T17:57:47.661Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink: Fix race during initialization\n\nAs pointed out by Stephen Boyd it is possible that during initialization\nof the pmic_glink child drivers, the protection-domain notifiers fires,\nand the associated work is scheduled, before the client registration\nreturns and as a result the local \"client\" pointer has been initialized.\n\nThe outcome of this is a NULL pointer dereference as the \"client\"\npointer is blindly dereferenced.\n\nTimeline provided by Stephen:\n CPU0 CPU1\n ---- ----\n ucsi->client = NULL;\n devm_pmic_glink_register_client()\n client->pdr_notify(client->priv, pg->client_state)\n pmic_glink_ucsi_pdr_notify()\n schedule_work(&ucsi->register_work)\n <schedule away>\n pmic_glink_ucsi_register()\n ucsi_register()\n pmic_glink_ucsi_read_version()\n pmic_glink_ucsi_read()\n pmic_glink_ucsi_read()\n pmic_glink_send(ucsi->client)\n <client is NULL BAD>\n ucsi->client = client // Too late!\n\nThis code is identical across the altmode, battery manager and usci\nchild drivers.\n\nResolve this by splitting the allocation of the \"client\" object and the\nregistration thereof into two operations.\n\nThis only happens if the protection domain registry is populated at the\ntime of registration, which by the introduction of commit '1ebcde047c54\n(\"soc: qcom: add pd-mapper implementation\")' became much more likely."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/power/supply/qcom_battmgr.c", "drivers/soc/qcom/pmic_glink.c", "drivers/soc/qcom/pmic_glink_altmode.c", "drivers/usb/typec/ucsi/ucsi_glink.c", "include/linux/soc/qcom/pmic_glink.h"], "versions": [{"version": "58ef4ece1e41", "lessThan": "1efdbf5323c9", "status": "affected", "versionType": "git"}, {"version": "58ef4ece1e41", "lessThan": "943b0e7cc646", "status": "affected", "versionType": "git"}, {"version": "58ef4ece1e41", "lessThan": "3568affcddd6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/power/supply/qcom_battmgr.c", "drivers/soc/qcom/pmic_glink.c", "drivers/soc/qcom/pmic_glink_altmode.c", "drivers/usb/typec/ucsi/ucsi_glink.c", "include/linux/soc/qcom/pmic_glink.h"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.49", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10.8", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/1efdbf5323c9360e05066049b97414405e94e087"}, {"url": "https://git.kernel.org/stable/c/943b0e7cc646a624bb20a68080f8f1a4a55df41c"}, {"url": "https://git.kernel.org/stable/c/3568affcddd68743e25aa3ec1647d9b82797757b"}], "title": "soc: qcom: pmic_glink: Fix race during initialization", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "317A2689-BFEC-4C68-A8FF-A961C72445FA", "versionEndExcluding": "6.6.49", "versionStartIncluding": "6.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B5D46C3-56A4-4380-9309-27BF73DF29A7", "versionEndExcluding": "6.10.8", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*", "matchCriteriaId": "E0005AEF-856E-47EB-BFE4-90C46899394D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*", "matchCriteriaId": "39889A68-6D34-47A6-82FC-CD0BF23D6754", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*", "matchCriteriaId": "B8383ABF-1457-401F-9B61-EE50F4C61F4F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink: Fix race during initialization\n\nAs pointed out by Stephen Boyd it is possible that during initialization\nof the pmic_glink child drivers, the protection-domain notifiers fires,\nand the associated work is scheduled, before the client registration\nreturns and as a result the local \"client\" pointer has been initialized.\n\nThe outcome of this is a NULL pointer dereference as the \"client\"\npointer is blindly dereferenced.\n\nTimeline provided by Stephen:\n CPU0 CPU1\n ---- ----\n ucsi->client = NULL;\n devm_pmic_glink_register_client()\n client->pdr_notify(client->priv, pg->client_state)\n pmic_glink_ucsi_pdr_notify()\n schedule_work(&ucsi->register_work)\n <schedule away>\n pmic_glink_ucsi_register()\n ucsi_register()\n pmic_glink_ucsi_read_version()\n pmic_glink_ucsi_read()\n pmic_glink_ucsi_read()\n pmic_glink_send(ucsi->client)\n <client is NULL BAD>\n ucsi->client = client // Too late!\n\nThis code is identical across the altmode, battery manager and usci\nchild drivers.\n\nResolve this by splitting the allocation of the \"client\" object and the\nregistration thereof into two operations.\n\nThis only happens if the protection domain registry is populated at the\ntime of registration, which by the introduction of commit '1ebcde047c54\n(\"soc: qcom: add pd-mapper implementation\")' became much more likely."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soc: qcom: pmic_glink: Correcci\u00f3n de la ejecuci\u00f3n durante la inicializaci\u00f3n Como se\u00f1al\u00f3 Stephen Boyd, es posible que durante la inicializaci\u00f3n de los controladores secundarios pmic_glink, se activen los notificadores del dominio de protecci\u00f3n y se programe el trabajo asociado, antes de que vuelva el registro del cliente y, como resultado, se haya inicializado el puntero \"cliente\" local. El resultado de esto es una desreferencia de puntero NULL ya que el puntero \"cliente\" se desreferencia ciegamente. Cronolog\u00eda proporcionada por Stephen: CPU0 CPU1 ---- ---- ucsi-&gt;client = NULL; devm_pmic_glink_register_client() client-&gt;pdr_notify(client-&gt;priv, pg-&gt;client_state) pmic_glink_ucsi_pdr_notify() schedule_work(&amp;ucsi-&gt;register_work) pmic_glink_ucsi_register() ucsi_register() pmic_glink_ucsi_read_version() pmic_glink_ucsi_read() pmic_glink_ucsi_read() pmic_glink_send(ucsi-&gt;client) ucsi-&gt;client = client // \u00a1Demasiado tarde! Este c\u00f3digo es id\u00e9ntico en los controladores secundarios altmode, battery manager y usci. Resuelva esto dividiendo la asignaci\u00f3n del objeto \"cliente\" y su registro en dos operaciones. Esto solo sucede si el registro del dominio de protecci\u00f3n se completa al momento del registro, lo que se volvi\u00f3 mucho m\u00e1s probable con la introducci\u00f3n del commit '1ebcde047c54 (\"soc: qcom: add pd-mapper implementation\")."}], "id": "CVE-2024-46693", "lastModified": "2024-09-13T16:52:41.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-13T06:15:14.140", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1efdbf5323c9360e05066049b97414405e94e087"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3568affcddd68743e25aa3ec1647d9b82797757b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/943b0e7cc646a624bb20a68080f8f1a4a55df41c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: soc: qcom: pmic_glink: Fix race during initialization", "id": "2312081", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312081"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsoc: qcom: pmic_glink: Fix race during initialization\nAs pointed out by Stephen Boyd it is possible that during initialization\nof the pmic_glink child drivers, the protection-domain notifiers fires,\nand the associated work is scheduled, before the client registration\nreturns and as a result the local \"client\" pointer has been initialized.\nThe outcome of this is a NULL pointer dereference as the \"client\"\npointer is blindly dereferenced.\nTimeline provided by Stephen:\nCPU0 CPU1\n---- ----\nucsi->client = NULL;\ndevm_pmic_glink_register_client()\nclient->pdr_notify(client->priv, pg->client_state)\npmic_glink_ucsi_pdr_notify()\nschedule_work(&ucsi->register_work)\n<schedule away>\npmic_glink_ucsi_register()\nucsi_register()\npmic_glink_ucsi_read_version()\npmic_glink_ucsi_read()\npmic_glink_ucsi_read()\npmic_glink_send(ucsi->client)\n<client is NULL BAD>\nucsi->client = client // Too late!\nThis code is identical across the altmode, battery manager and usci\nchild drivers.\nResolve this by splitting the allocation of the \"client\" object and the\nregistration thereof into two operations.\nThis only happens if the protection domain registry is populated at the\ntime of registration, which by the introduction of commit '1ebcde047c54\n(\"soc: qcom: add pd-mapper implementation\")' became much more likely."], "name": "CVE-2024-46693", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-09-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-46693\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46693\nhttps://lore.kernel.org/linux-cve-announce/2024091340-CVE-2024-46693-cbe3@gregkh/T"], "threat_severity": "Moderate"}