cve/published/2024/CVE-2024-36893.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36893: usb: typec: tcpm: Check for port partner validity before consuming it

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: typec: tcpm: Check for port partner validity before consuming it

 typec_register_partner() does not guarantee partner registration
 to always succeed. In the event of failure, port->partner is set
 to the error value or NULL. Given that port->partner validity is
 not checked, this results in the following crash:

 Unable to handle kernel NULL pointer dereference at virtual address xx
  pc : run_state_machine+0x1bc8/0x1c08
  lr : run_state_machine+0x1b90/0x1c08
 ..
  Call trace:
    run_state_machine+0x1bc8/0x1c08
    tcpm_state_machine_work+0x94/0xe4
    kthread_worker_fn+0x118/0x328
    kthread+0x1d0/0x23c
    ret_from_fork+0x10/0x20

 To prevent the crash, check for port->partner validity before
 derefencing it in all the call sites.

 The Linux kernel CVE team has assigned CVE-2024-36893 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.132 with commit 31220bd89c22a18478f52fcd8069e8e2adb8f4f2 and fixed in 5.15.168 with commit 2a07e6f0ad8a6e504a3912cfe8dc859b7d0740a5
 	Issue introduced in 6.1.53 with commit 9b7cd3fe01f0d03cf5820b351a6be2a6e0a6da6f and fixed in 6.1.91 with commit d56d2ca03cc22123fd7626967d096d8661324e57
 	Issue introduced in 6.6 with commit c97cd0b4b54eb42aed7f6c3c295a2d137f6d2416 and fixed in 6.6.31 with commit 789326cafbd1f67f424436b6bc8bdb887a364637
 	Issue introduced in 6.6 with commit c97cd0b4b54eb42aed7f6c3c295a2d137f6d2416 and fixed in 6.8.10 with commit fc2b655cb6dd2b381f1f284989721002e39b6b77
 	Issue introduced in 6.6 with commit c97cd0b4b54eb42aed7f6c3c295a2d137f6d2416 and fixed in 6.9 with commit ae11f04b452b5205536e1c02d31f8045eba249dd
 	Issue introduced in 6.4.16 with commit 2897b36d2482b84f35e659989d5cb4501fb31ccd
 	Issue introduced in 6.5.3 with commit cbcf107780aecf51aba68488044a416d95060b6d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36893
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/typec/tcpm/tcpm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2a07e6f0ad8a6e504a3912cfe8dc859b7d0740a5
 	https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57
 	https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637
 	https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77
 	https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36893: usb: typec: tcpm: Check for port partner validity before consuming it

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: typec: tcpm: Check for port partner validity before consuming it

	typec_register_partner() does not guarantee partner registration
	to always succeed. In the event of failure, port->partner is set
	to the error value or NULL. Given that port->partner validity is
	not checked, this results in the following crash:

	Unable to handle kernel NULL pointer dereference at virtual address xx
	pc : run_state_machine+0x1bc8/0x1c08
	lr : run_state_machine+0x1b90/0x1c08
	..
	Call trace:
	run_state_machine+0x1bc8/0x1c08
	tcpm_state_machine_work+0x94/0xe4
	kthread_worker_fn+0x118/0x328
	kthread+0x1d0/0x23c
	ret_from_fork+0x10/0x20

	To prevent the crash, check for port->partner validity before
	derefencing it in all the call sites.

	The Linux kernel CVE team has assigned CVE-2024-36893 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.132 with commit 31220bd89c22a18478f52fcd8069e8e2adb8f4f2 and fixed in 5.15.168 with commit 2a07e6f0ad8a6e504a3912cfe8dc859b7d0740a5
	Issue introduced in 6.1.53 with commit 9b7cd3fe01f0d03cf5820b351a6be2a6e0a6da6f and fixed in 6.1.91 with commit d56d2ca03cc22123fd7626967d096d8661324e57
	Issue introduced in 6.6 with commit c97cd0b4b54eb42aed7f6c3c295a2d137f6d2416 and fixed in 6.6.31 with commit 789326cafbd1f67f424436b6bc8bdb887a364637
	Issue introduced in 6.6 with commit c97cd0b4b54eb42aed7f6c3c295a2d137f6d2416 and fixed in 6.8.10 with commit fc2b655cb6dd2b381f1f284989721002e39b6b77
	Issue introduced in 6.6 with commit c97cd0b4b54eb42aed7f6c3c295a2d137f6d2416 and fixed in 6.9 with commit ae11f04b452b5205536e1c02d31f8045eba249dd
	Issue introduced in 6.4.16 with commit 2897b36d2482b84f35e659989d5cb4501fb31ccd
	Issue introduced in 6.5.3 with commit cbcf107780aecf51aba68488044a416d95060b6d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36893
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/typec/tcpm/tcpm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2a07e6f0ad8a6e504a3912cfe8dc859b7d0740a5
	https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57
	https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637
	https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77
	https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd