CVE-2024-46746

In the Linux kernel, the following vulnerability has been resolved:

HID: amdsfh: free driverdata after destroying hid device

HID driver callbacks aren't called anymore once hiddestroydevice() has been called. Hence, hid driverdata should be freed only after the hiddestroydevice() function returned as driverdata is used in several callbacks.

I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output:

[ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amdsfhgetreport+0x3ec/0x530 [amdsfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479

[ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] <TASK> [ 13.071492] dumpstacklvl+0x5d/0x80 [ 13.074870] sndhdaintel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amdsfhgetreport+0x3ec/0x530 [amdsfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] printreport+0x174/0x505 [ 13.085776] ? pfxrawspinlockirqsave+0x10/0x10 [ 13.089367] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 13.093255] ? amdsfhgetreport+0x3ec/0x530 [amdsfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasanreport+0xc8/0x150 [ 13.101461] ? amdsfhgetreport+0x3ec/0x530 [amdsfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amdsfhgetreport+0x3ec/0x530 [amdsfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtphidrequest+0xb8/0x110 [amdsfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 13.119450] sensorhubgetfeature+0x1d3/0x540 [hidsensorhub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hidsensorparsecommonattributes+0x4d0/0xad0 [hidsensoriiocommon c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 13.131925] ? pfxhidsensorparsecommonattributes+0x10/0x10 [hidsensoriiocommon c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _rawspinlockirqsave+0x96/0xf0 [ 13.140197] ? _pfxrawspinlockirqsave+0x10/0x10 [ 13.143602] ? devmiiodevicealloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 13.150446] ? devmaddaction+0x167/0x1d0 [ 13.155061] hidgyro3dprobe+0x120/0x7f0 [hidsensorgyro3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 13.161814] platformprobe+0xa2/0x150 [ 13.165029] reallyprobe+0x1e3/0x8a0 [ 13.168243] _driverprobedevice+0x18c/0x370 [ 13.171500] driverprobedevice+0x4a/0x120 [ 13.175000] _driverattach+0x190/0x4a0 [ 13.178521] ? _pfxdriverattach+0x10/0x10 [ 13.181771] busforeachdev+0x106/0x180 [ 13.185033] ? pfxrawspinlock+0x10/0x10 [ 13.188229] ? _pfxbusforeachdev+0x10/0x10 [ 13.191446] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 13.194382] busadddriver+0x29e/0x4d0 [ 13.197328] driverregister+0x1a5/0x360 [ 13.200283] ? _pfxhidgyro3dplatformdriverinit+0x10/0x10 [hidsensorgyro3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] dooneinitcall+0xa7/0x380 [ 13.206432] ? _pfxdooneinitcall+0x10/0x10 [ 13.210175] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 13.213211] ? kasanunpoison+0x44/0x70 [ 13.216688] doinit_module+0x238/0x750 [ 13.2196 ---truncated---