CVE-2024-39479
Intel i915 Linux Kernel Unallocated Fraction
Description
In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 component_unbind_all+0x8d/0xa0 component_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 device_release_driver_internal+0x19c/0x200 unbind_store+0x9c/0xb0 and Call Trace: release_nodes+0x11/0x70 devres_release_all+0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 This means that in i915, if use devm, we cannot gurantee that hwmon will always be released before drvdata. Which means that we have a uaf if hwmon sysfs is accessed when drvdata has been released but hwmon hasn't. The only way out of this seems to be do get rid of devm_ and release/free everything explicitly during device unbind. v2: Change commit message and other minor code changes v3: Cleanup from i915_hwmon_register on error (Armin Wolf) v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani) v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)
INFO
Published Date :
July 5, 2024, 7:15 a.m.
Last Modified :
Nov. 21, 2024, 9:27 a.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
5.9
Exploitability Score :
1.8
Public PoC/Exploit Available at Github
CVE-2024-39479 has a 2 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-39479.
| URL | Resource |
|---|---|
| https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 | Mailing List Patch |
| https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f | Mailing List Patch |
| https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 | Mailing List Patch |
| https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 | Mailing List Patch |
| https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f | Mailing List Patch |
| https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 | Mailing List Patch |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
None
HTML C# CSS JavaScript Dockerfile
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-39479 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-39479 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 Added Reference https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f Added Reference https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 -
Initial Analysis by [email protected]
Jul. 08, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 No Types Assigned https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 Mailing List, Patch Changed Reference Type https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f No Types Assigned https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f Mailing List, Patch Changed Reference Type https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 No Types Assigned https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 Mailing List, Patch Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6 up to (excluding) 6.6.34 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.9 up to (excluding) 6.9.5 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jul. 08, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-400 Added CVSS V3.1 CISA-ADP AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jul. 05, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 component_unbind_all+0x8d/0xa0 component_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 device_release_driver_internal+0x19c/0x200 unbind_store+0x9c/0xb0 and Call Trace: release_nodes+0x11/0x70 devres_release_all+0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 This means that in i915, if use devm, we cannot gurantee that hwmon will always be released before drvdata. Which means that we have a uaf if hwmon sysfs is accessed when drvdata has been released but hwmon hasn't. The only way out of this seems to be do get rid of devm_ and release/free everything explicitly during device unbind. v2: Change commit message and other minor code changes v3: Cleanup from i915_hwmon_register on error (Armin Wolf) v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani) v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi) Added Reference kernel.org https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-39479 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-39479
weaknesses.