CVE-2024-49874

Summary

In the Linux kernel, the following vulnerability has been resolved:

i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition

In the svc_i3c_master_probe function, &master->hj_work is bound with svc_i3c_master_hj_work, &master->ibi_work is bound with svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the hj_work, svc_i3c_master_irq_handler can start the ibi_work.

If we remove the module which will call svc_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                                | svc_i3c_master_hj_work

svc_i3c_master_remove | i3c_master_unregister(&master->base)| device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the cleanup in svc_i3c_master_remove.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux87e0f28eda36c7843523aa8dd0c5dab3331e9718 < 56bddf543d4d7ddeff3f87b554ddacfdf086bffeaffected
LinuxLinux0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 < 4ac637122930cc4ab7e2c22e364cf3aaf96b05b1affected
LinuxLinux0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 < 4318998892bf8fe99f97bea18c37ae7b685af75aaffected
LinuxLinux0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 < 27b55724d3f781dd6e635e89dc6e2fd78fa81a00affected
LinuxLinux0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 < 61850725779709369c7e907ae8c7c75dc7cec4f3affected
LinuxLinux6.4affected
LinuxLinux0 < 6.4unaffected
LinuxLinux6.6.55 <= 6.6.*unaffected
LinuxLinux6.10.14 <= 6.10.*unaffected
LinuxLinux6.11.3 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References