CVE-2024-50061

Summary

In the Linux kernel, the following vulnerability has been resolved:

i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work.

If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                                 | cdns_i3c_master_hj

cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 < 2a21bad9964c91b34d65ba269914233720c0b1ceaffected
LinuxLinux3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 < ea0256e393e0072e8c80fd941547807f0c28108baffected
LinuxLinux3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 < 687016d6a1efbfacdd2af913e2108de6b75a28d5affected
LinuxLinux3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 < 609366e7a06d035990df78f1562291c3bf0d4a12affected
LinuxLinux5.0affected
LinuxLinux0 < 5.0unaffected
LinuxLinux6.1.129 <= 6.1.*unaffected
LinuxLinux6.6.57 <= 6.6.*unaffected
LinuxLinux6.11.4 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References