CVE-2024-36961

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-36961
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36961.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36961
Related
Published
2024-06-03T08:15:09Z
Modified
2024-09-18T03:26:25.202487Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

thermal/debugfs: Fix two locking issues with thermal zone debug

With the current thermal zone locking arrangement in the debugfs code, user space can open the "mitigations" file for a thermal zone before the zone's debugfs pointer is set which will result in a NULL pointer dereference in tzeseqstart().

Moreover, thermaldebugtzremove() is not called under the thermal zone lock, so it can run in parallel with the other functions accessing the thermal zone's struct thermaldebugfs object. Then, it may clear tz->debugfs after one of those functions has checked it and the struct thermal_debugfs object may be freed prematurely.

To address the first problem, pass a pointer to the thermal zone's struct thermaldebugfs object to debugfscreatefile() in thermaldebugtzadd() and make tzeseqstart(), tzeseqnext(), tzeseqstop(), and tzeseqshow() retrieve it from s->private instead of a pointer to the thermal zone object. This will ensure that tzdebugfs will be valid across the "mitigations" file accesses until thermaldebugfsremoveid() called by thermaldebugtz_remove() removes that file.

To address the second problem, use tz->lock in thermaldebugtz_remove() around the tz->debugfs value check (in case the same thermal zone is removed at the same time in two different threads) and its reset to NULL.

Cc :6.8+ stable@vger.kernel.org # 6.8+

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.8.11-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}