{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()\n\nWhen unregister pd capabilitie in tcpm, KASAN will capture below double\n-free issue. The root cause is the same capabilitiy will be kfreed twice,\nthe first time is kfreed by pd_capabilities_release() and the second time\nis explicitly kfreed by tcpm_port_unregister_pd().\n\n[ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc\n[ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10\n[ 4.001206]\n[ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53\n[ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)\n[ 4.017569] Workqueue: events_unbound deferred_probe_work_func\n[ 4.023456] Call trace:\n[ 4.025920] dump_backtrace+0x94/0xec\n[ 4.029629] show_stack+0x18/0x24\n[ 4.032974] dump_stack_lvl+0x78/0x90\n[ 4.036675] print_report+0xfc/0x5c0\n[ 4.040289] kasan_report_invalid_free+0xa0/0xc0\n[ 4.044937] __kasan_slab_free+0x124/0x154\n[ 4.049072] kfree+0xb4/0x1e8\n[ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc\n[ 4.056725] tcpm_register_port+0x1dd0/0x2558\n[ 4.061121] tcpci_register_port+0x420/0x71c\n[ 4.065430] tcpci_probe+0x118/0x2e0\n\nTo fix the issue, this will remove kree() from tcpm_port_unregister_pd()." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/usb/typec/tcpm/tcpm.c" ], "versions": [ { "version": "cd099cde4ed2", "lessThan": "242e425ed580", "status": "affected", "versionType": "git" }, { "version": "cd099cde4ed2", "lessThan": "b63f90487bdf", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/usb/typec/tcpm/tcpm.c" ], "versions": [ { "version": "6.8", "status": "affected" }, { "version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "custom" }, { "version": "6.8.3", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/242e425ed580b2f4dbcb86c8fc03a410a4084a69" }, { "url": "https://git.kernel.org/stable/c/b63f90487bdf93a4223ce7853d14717e9d452856" } ], "title": "usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2024-26932", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }