CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-46746: HID: amd_sfh: free driver_data after destroying hid device

Description

In the Linux kernel, the following vulnerability has been resolved:

HID: amd_sfh: free driver_data after destroying hid device

HID driver callbacks aren't called anymore once hid_destroy_device() has
been called. Hence, hid driver_data should be freed only after the
hid_destroy_device() function returned as driver_data is used in several
callbacks.

I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling
KASAN to debug memory allocation, I got this output:

[ 13.050438] ==================================================================
[ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]
[ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3
[ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479

[ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
[ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
[ 13.067860] Call Trace:
[ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8
[ 13.071486]
[ 13.071492] dump_stack_lvl+0x5d/0x80
[ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002)
[ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.082199] print_report+0x174/0x505
[ 13.085776] ? __pfx__raw_s...

Classification

CVE ID: CVE-2024-46746

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 5.03% (scored less or equal to compared to others)

EPSS Date: 2025-02-15 (when was this score calculated)

References

https://git.kernel.org/stable/c/86b4f5cf91ca03c08e3822ac89476a677a780bcc
https://git.kernel.org/stable/c/775125c7fe38533aaa4b20769f5b5e62cc1170a0
https://git.kernel.org/stable/c/60dc4ee0428d70bcbb41436b6729d29f1cbdfb89
https://git.kernel.org/stable/c/adb3e3c1ddb5a23b8b7122ef1913f528d728937c
https://git.kernel.org/stable/c/97155021ae17b86985121b33cf8098bcde00d497

Timeline