CVE-2024-57913

{"id": "CVE-2024-57913", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2025-01-19T12:15:25.477", "references": [{"url": "https://git.kernel.org/stable/c/19fc1c83454ca9d5699e39633ec79ce26355251c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3e4d32cc145955d5c56c5498a3ff057e4aafa9d1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/82f60f3600aecd9ffcd0fbc4e193694511c85b47", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a8b6a18b9b66cc4c016d63132b59ce5383f7cdd2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bfe60030fcd976e3546e1f73d6d0eb3fea26442e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dfc51e48bca475bbee984e90f33fdc537ce09699", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ea6a1498742430eb2effce0d1439ff29ef37dd7d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Remove WARN_ON in functionfs_bind\n\nThis commit addresses an issue related to below kernel panic where\npanic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON\nin functionsfs_bind, which easily leads to the following scenarios.\n\n1.adb_write in adbd 2. UDC write via configfs\n =================\t =====================\n\n->usb_ffs_open_thread() ->UDC write\n ->open_functionfs() ->configfs_write_iter()\n ->adb_open() ->gadget_dev_desc_UDC_store()\n ->adb_write() ->usb_gadget_register_driver_owner\n ->driver_register()\n->StartMonitor() ->bus_add_driver()\n ->adb_read() ->gadget_bind_driver()\n<times-out without BIND event> ->configfs_composite_bind()\n ->usb_add_function()\n->open_functionfs() ->ffs_func_bind()\n ->adb_open() ->functionfs_bind()\n <ffs->state !=FFS_ACTIVE>\n\nThe adb_open, adb_read, and adb_write operations are invoked from the\ndaemon, but trying to bind the function is a process that is invoked by\nUDC write through configfs, which opens up the possibility of a race\ncondition between the two paths. In this race scenario, the kernel panic\noccurs due to the WARN_ON from functionfs_bind when panic_on_warn is\nenabled. This commit fixes the kernel panic by removing the unnecessary\nWARN_ON.\n\nKernel panic - not syncing: kernel: panic_on_warn set ...\n[ 14.542395] Call trace:\n[ 14.542464] ffs_func_bind+0x1c8/0x14a8\n[ 14.542468] usb_add_function+0xcc/0x1f0\n[ 14.542473] configfs_composite_bind+0x468/0x588\n[ 14.542478] gadget_bind_driver+0x108/0x27c\n[ 14.542483] really_probe+0x190/0x374\n[ 14.542488] __driver_probe_device+0xa0/0x12c\n[ 14.542492] driver_probe_device+0x3c/0x220\n[ 14.542498] __driver_attach+0x11c/0x1fc\n[ 14.542502] bus_for_each_dev+0x104/0x160\n[ 14.542506] driver_attach+0x24/0x34\n[ 14.542510] bus_add_driver+0x154/0x270\n[ 14.542514] driver_register+0x68/0x104\n[ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4\n[ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144\n[ 14.542526] configfs_write_iter+0xf0/0x138"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: f_fs: eliminar WARN_ON en functionfs_bind Esta confirmaci\u00f3n soluciona un problema relacionado con el p\u00e1nico del kernel que se muestra a continuaci\u00f3n, donde panic_on_warn est\u00e1 habilitado. Es causado por el uso innecesario de WARN_ON en functionsfs_bind, lo que f\u00e1cilmente conduce a los siguientes escenarios. 1.adb_write en adbd 2. Escritura de UDC a trav\u00e9s de configfs ================= ====================== -&gt;usb_ffs_open_thread() -&gt;Escritura de UDC -&gt;open_functionfs() -&gt;configfs_write_iter() -&gt;adb_open() -&gt;gadget_dev_desc_UDC_store() -&gt;adb_write() -&gt;usb_gadget_register_driver_owner -&gt;driver_register() -&gt;StartMonitor() -&gt;bus_add_driver() -&gt;adb_read() -&gt;gadget_bind_driver() -&gt;configfs_composite_bind() -&gt;usb_add_function() -&gt;open_functionfs() -&gt;ffs_func_bind() -&gt;adb_open() -&gt;functionfs_bind() state !=FFS_ACTIVE&gt; Las operaciones adb_open, adb_read y adb_write se invocan desde el daemon, pero intentar vincular la funci\u00f3n es un proceso que se invoca mediante escritura UDC a trav\u00e9s de configfs, lo que abre la posibilidad de una condici\u00f3n de ejecuci\u00f3n entre las dos rutas. En este escenario de ejecuci\u00f3n, el p\u00e1nico del kernel se produce debido al WARN_ON de functionfs_bind cuando panic_on_warn est\u00e1 habilitado. Esta confirmaci\u00f3n corrige el p\u00e1nico del kernel eliminando el WARN_ON innecesario. P\u00e1nico del n\u00facleo: no se sincroniza: n\u00facleo: panic_on_warn establecido ... [ 14.542395] Seguimiento de llamadas: [ 14.542464] ffs_func_bind+0x1c8/0x14a8 [ 14.542468] usb_add_function+0xcc/0x1f0 [ 14.542473] configfs_composite_bind+0x468/0x588 [ 14.542478] gadget_bind_driver+0x108/0x27c [ 14.542483] really_probe+0x190/0x374 [ 14.542488] __driver_probe_device+0xa0/0x12c [ 14.542492] controlador_probe_device+0x3c/0x220 [ 14.542498] __driver_attach+0x11c/0x1fc [ 14.542502] bus_for_each_dev+0x104/0x160 [ 14.542506] controlador_attach+0x24/0x34 [ 14.542510] bus_add_driver+0x154/0x270 [ 14.542514] controlador_register+0x68/0x104 [ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4 [ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144 [ 14.542526] configfs_write_iter+0xf0/0x138"}], "lastModified": "2025-02-27T21:59:09.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0404F1AE-E190-4B6A-AA79-D0B97E168526", "versionEndExcluding": "5.4.290", "versionStartIncluding": "2.6.35"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F732162B-ED7E-4367-A5C2-B24FD9B0D33B", "versionEndExcluding": "5.10.234", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71A3AFDC-A3CA-454F-8917-E998BBDE36F8", "versionEndExcluding": "5.15.177", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AFD566B-ECC6-46F1-92F7-12A615D5685F", "versionEndExcluding": "6.1.125", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33E12097-C88A-45B4-9677-2A961A08DD3E", "versionEndExcluding": "6.6.72", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02D604F6-10D1-4F7B-A022-0888406A1121", "versionEndExcluding": "6.12.10", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}