CVE-2024-47747

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                  |  ether3_ledoff

ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev

Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < 25d559ed2beec9b34045886100dac46d1ad92ebaaffected
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9affected
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < 338a0582b28e69460df03af50e938b86b4206353affected
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < 822c7bb1f6f8b0331e8d1927151faf8db3b33afdaffected
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < 1c57d61a43293252ad732007c7070fdb112545fdaffected
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < d2abc379071881798d20e2ac1d332ad855ae22f3affected
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < 516dbc6d16637430808c39568cbb6b841d32b55baffected
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < 77a77331cef0a219b8dd91361435eeef04cb741caffected
LinuxLinux6fd9c53f71862a4797b7ed8a5de80e2c64829f56 < b5109b60ee4fcb2f2bb24f589575e10cc5283ad4affected
LinuxLinux4.15affected
LinuxLinux0 < 4.15unaffected
LinuxLinux4.19.323 <= 4.19.*unaffected
LinuxLinux5.4.285 <= 5.4.*unaffected
LinuxLinux5.10.227 <= 5.10.*unaffected
LinuxLinux5.15.168 <= 5.15.*unaffected
LinuxLinux6.1.113 <= 6.1.*unaffected
LinuxLinux6.6.54 <= 6.6.*unaffected
LinuxLinux6.10.13 <= 6.10.*unaffected
LinuxLinux6.11.2 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

Additional References

References