CVE-2024-49874
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition
In the svc_i3c_master_probe function, &master->hj_work is bound with svc_i3c_master_hj_work, &master->ibi_work is bound with svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the hj_work, svc_i3c_master_irq_handler can start the ibi_work.
If we remove the module which will call svc_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| svc_i3c_master_hj_work
svc_i3c_master_remove | i3c_master_unregister(&master->base)| device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base
Fix it by ensuring that the work is canceled before proceeding with the cleanup in svc_i3c_master_remove.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 87e0f28eda36c7843523aa8dd0c5dab3331e9718 < 56bddf543d4d7ddeff3f87b554ddacfdf086bffe | affected |
| Linux | Linux | 0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 < 4ac637122930cc4ab7e2c22e364cf3aaf96b05b1 | affected |
| Linux | Linux | 0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 < 4318998892bf8fe99f97bea18c37ae7b685af75a | affected |
| Linux | Linux | 0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 < 27b55724d3f781dd6e635e89dc6e2fd78fa81a00 | affected |
| Linux | Linux | 0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 < 61850725779709369c7e907ae8c7c75dc7cec4f3 | affected |
| Linux | Linux | 6.4 | affected |
| Linux | Linux | 0 < 6.4 | unaffected |
| Linux | Linux | 6.6.55 <= 6.6.* | unaffected |
| Linux | Linux | 6.10.14 <= 6.10.* | unaffected |
| Linux | Linux | 6.11.3 <= 6.11.* | unaffected |
| Linux | Linux | 6.12 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/56bddf543d4d7ddeff3f87b554ddacfdf086bffe
- https://git.kernel.org/stable/c/4ac637122930cc4ab7e2c22e364cf3aaf96b05b1
- https://git.kernel.org/stable/c/4318998892bf8fe99f97bea18c37ae7b685af75a
- https://git.kernel.org/stable/c/27b55724d3f781dd6e635e89dc6e2fd78fa81a00
- https://git.kernel.org/stable/c/61850725779709369c7e907ae8c7c75dc7cec4f3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.