Bug 1222297 (CVE-2024-26653)

Summary: VUL-0: CVE-2024-26653: kernel: usb: misc: ljca: Fix double free in error handling path
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Kernel Bugs <kernel-bugs>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/399862/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26653:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-04 09:15:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

usb: misc: ljca: Fix double free in error handling path

When auxiliary_device_add() returns error and then calls
auxiliary_device_uninit(), callback function ljca_auxdev_release
calls kfree(auxdev->dev.platform_data) to free the parameter data
of the function ljca_new_client_device. The callers of
ljca_new_client_device shouldn't call kfree() again
in the error handling path to free the platform data.

Fix this by cleaning up the redundant kfree() in all callers and
adding kfree() the passed in platform_data on errors which happen
before auxiliary_device_init() succeeds .

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26653
https://bugzilla.redhat.com/show_bug.cgi?id=2272444
https://www.cve.org/CVERecord?id=CVE-2024-26653
https://git.kernel.org/stable/c/7c9631969287a5366bc8e39cd5abff154b35fb80
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-26653.mbox
https://git.kernel.org/stable/c/420babea4f1881a7c4ea22a8e218b8c6895d3f21
https://git.kernel.org/stable/c/8a9f653cc852677003c23ee8075e3ed8fb4743c9
Comment 1 Robert Frohl 2024-04-04 09:29:07 UTC 
does not affect our kernels, closing