Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2024-56670

Disclosure Date: December 27, 2024 •

CVE-2024-56670 CVSS v3 Base Score: 5.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer

Considering that in some extreme cases,
when u_serial driver is accessed by multiple threads,
Thread A is executing the open operation and calling the gs_open,
Thread B is executing the disconnect operation and calling the
gserial_disconnect function,The port->port_usb pointer will be set to NULL.

E.g.

Thread A                                 Thread B
gs_open()                                gadget_unbind_driver()
gs_start_io()                            composite_disconnect()
gs_start_rx()                            gserial_disconnect()
...                                      ...
spin_unlock(&port->port_lock)
status = usb_ep_queue()                  spin_lock(&port->port_lock)
spin_lock(&port->port_lock)              port->port_usb = NULL
gs_free_requests(port->port_usb->in)     spin_unlock(&port->port_lock)
Crash

This causes thread A to access a null pointer (port->port_usb is null)
when calling the gs_free_requests function, causing a crash.

If port_usb is NULL, the release request will be skipped as it
will be done by gserial_disconnect.

So add a null pointer check to gs_start_io before attempting
to access the value of the pointer port->port_usb.

Call trace:
gs_start_io+0x164/0x25c
gs_open+0x108/0x13c
tty_open+0x314/0x638
chrdev_open+0x1b8/0x258
do_dentry_open+0x2c4/0x700
vfs_open+0x2c/0x3c
path_openat+0xa64/0xc60
do_filp_open+0xb8/0x164
do_sys_openat2+0x84/0xf0
__arm64_sys_openat+0x70/0x9c
invoke_syscall+0x58/0x114
el0_svc_common+0x80/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x38/0x68

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

Vendors

linux

Products

References

Canonical

CVE-2024-56670 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56670)

Miscellaneous

https://git.kernel.org/stable/c/4efdfdc32d8d6307f968cd99f1db64468471bab1

https://git.kernel.org/stable/c/28b3c03a6790de1f6f2683919ad657840f0f0f58

https://git.kernel.org/stable/c/1247e1df086aa6c17ab53cd1bedce70dd7132765

https://git.kernel.org/stable/c/c83213b6649d22656b3a4e92544ceeea8a2c6c07

https://git.kernel.org/stable/c/8ca07a3d18f39b1669927ef536e485787e856df6

https://git.kernel.org/stable/c/dd6b0ca6025f64ccb465a6a3460c5b0307ed9c44

https://git.kernel.org/stable/c/4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b

Rapid7

Unknown

CVE-2024-56670

Unknown

Unknown

None

Low

Local

CVE-2024-56670

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-56670

Unknown

Unknown

None

Low

Local

CVE-2024-56670

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification