Summary: The Linux kernel USB gadget subsystem had a potential vulnerability that could cause use-after-free memory and kernel crashes, affecting the f_ncm function. This post explores the details of the vulnerability, the fix implemented, and its consequences to kernel stability, providing relevant code snippets and exploit details for better understanding.
Introduction
In the Linux kernel, a recent vulnerability (CVE-2024-26996) was discovered and resolved, affecting the USB gadget subsystem's f_ncm function. This function, which is responsible for handling network control data over USB, could potentially result in a use-after-free memory issue if specific conditions were met, resulting in kernel crashes and potential exploits.
Original References
1. Linux kernel source code
2. Commit that fixes the issue
3. Details on the USB gadget subsystem
4. Linux kernel mailing list thread discussing the issue
Vulnerability Details
The vulnerability occurs when the ncm function is working and the usb interface is stopped for a link down. If a USB transport error takes place in the usb_ep_enable() function, the 'in_ep' and 'out_ep' variables might not be enabled. As a result, the ncm_disable() function is called, but the gether_disconnect() function is never called due to the 'in_ep' being disabled. This situation causes the ncm object to be released without properly deallocating the 'dev->port_usb' variable, which is still associated with the 'ncm->port'. When the ncm object is reallocated to recover the netdev, the usb interface remains associated with the previously released ncm object, resulting in a use-after-free memory issue when eth_start_xmit() is called.
Exploit Details
This vulnerability could potentially be exploited by malicious USB devices or attackers with physical access to the affected system, causing kernel crashes or unexpected behavior. Successful exploitation might also lead to privilege escalation, remote code execution, or denial of service attacks.
Code Snippet Fix
To resolve the issue, the code was modified to include a check for a non-NULL 'ncm->netdev' variable in the ncm_disable() function before calling the gether_disconnect() function. This change ensures that the 'dev->port_usb' variable is properly deassociated, preventing the use-after-free issue.
static void ncm_disable(struct usb_function *f)
{
struct f_ncm *ncm = func_to_ncm(f);
if (ncm->netdev) {
gether_disconnect(&ncm->port);
ncm->netdev = NULL;
}
}
Conclusion
The recent Linux kernel USB gadget vulnerability (CVE-2024-26996) had the potential to cause use-after-free memory issues and kernel crashes, exposing affected systems to potential exploits. However, the fix implemented in the kernel code addresses the problem by properly deassociating the 'dev->port_usb' variable, ensuring kernel stability and preventing exploits. Users are advised to update their kernel and related software to the latest versions to protect their systems from this vulnerability.
Timeline
Published on: 05/01/2024 06:15:17 UTC
Last modified on: 12/23/2024 19:49:49 UTC