CVE-2024-39495

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-39495
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39495.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-39495
Downstream
Published
2024-07-12T12:20:31.022Z
Modified
2025-11-27T02:32:52.699323Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
greybus: Fix use-after-free bug in gb_interface_release due to race condition.
Details

In the Linux kernel, the following vulnerability has been resolved:

greybus: Fix use-after-free bug in gbinterfacerelease due to race condition.

In gbinterfacecreate, &intf->modeswitchcompletion is bound with gbinterfacemodeswitchwork. Then it will be started by gbinterfacerequestmodeswitch. Here is the relevant code. if (!queuework(systemlongwq, &intf->modeswitch_work)) { ... }

If we call gbinterfacerelease to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gbinterfacemodeswitchwork is scheduled to run after kfree, it may cause use-after-free error as gbinterfacemodeswitchwork will use the object "intf". The possible execution flow that may lead to the issue is as follows:

CPU0 CPU1

                        |   gb_interface_create
                        |   gb_interface_request_mode_switch

gbinterfacerelease | kfree(intf) (free) | | gbinterfacemodeswitchwork | mutex_lock(&intf->mutex) (use)

Fix it by canceling the work before kfree.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2024/39xxx/CVE-2024-39495.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
74cd0a421896b2e07eafe7da4275302bfecef201
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
fb071f5c75d4b1c177824de74ee75f9dd34123b9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
9a733d69a4a59c2d08620e6589d823c24be773dc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
0b8fba38bdfb848fac52e71270b2aa3538c996ea
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
03ea2b129344152157418929f06726989efc0445
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.4.279
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.221
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.162
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.95
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.35
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.9.6