CVE-2024-26654

Summary

In the Linux kernel, the following vulnerability has been resolved:

ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs

The dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work could also arm the dreamcastcard->timer.

When the snd_pcm_substream is closing, the aica_channel will be deallocated. But it could still be dereferenced in the worker thread. The reason is that del_timer() will return directly regardless of whether the timer handler is running or not and the worker could be rescheduled in the timer handler. As a result, the UAF bug will happen. The racy situation is shown below:

  (Thread 1)                 |      (Thread 2)

snd_aicapcm_pcm_close() | … | run_spu_dma() //worker | mod_timer() flush_work() | del_timer() | aica_period_elapsed() //timer kfree(dreamcastcard->channel) | schedule_work() | run_spu_dma() //worker … | dreamcastcard->channel-> //USE

In order to mitigate this bug and other possible corner cases, call mod_timer() conditionally in run_spu_dma(), then implement PCM sync_stop op to cancel both the timer and worker. The sync_stop op will be called from PCM core appropriately when needed.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2affected
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < 4206ad65a0ee76920041a755bd3c17c6ba59bba2affected
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < aa39e6878f61f50892ee2dd9d2176f72020be845affected
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < 8c990221681688da34295d6d76cc2f5b963e83f5affected
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < 9d66ae0e7bb78b54e1e0525456c6b54e1d132046affected
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < 61d4787692c1fccdc268ffa7a891f9c149f50901affected
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3affected
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < 3c907bf56905de7d27b329afaf59c2fb35d17b04affected
LinuxLinux198de43d758ca2700e2b52b49c0b189b4931466c < 051e0840ffa8ab25554d6b14b62c9ab9e4901457affected
LinuxLinux2.6.23affected
LinuxLinux0 < 2.6.23unaffected
LinuxLinux4.19.312 <= 4.19.*unaffected
LinuxLinux5.4.274 <= 5.4.*unaffected
LinuxLinux5.10.215 <= 5.10.*unaffected
LinuxLinux5.15.154 <= 5.15.*unaffected
LinuxLinux6.1.84 <= 6.1.*unaffected
LinuxLinux6.6.24 <= 6.6.*unaffected
LinuxLinux6.7.12 <= 6.7.*unaffected
LinuxLinux6.8.3 <= 6.8.*unaffected
LinuxLinux6.9 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References