CVE-2024-49924

In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

08 Nov 2024, 16:15

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473 -
  • () https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd -

25 Oct 2024, 15:21

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd - () https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd - Patch
References () https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e - () https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e - Patch
References () https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a - () https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a - Patch
References () https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e - () https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e - Patch
References () https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08 - () https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08 - Patch
References () https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae - () https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae - Patch
References () https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370 - () https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370 - Patch
CWE CWE-416
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

23 Oct 2024, 15:13

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fbdev: pxafb: Arregla posible use after free en pxafb_task() En la función pxafb_probe, llama a la función pxafb_init_fbinfo, después de lo cual &fbi->task se asocia con pxafb_task. Además, dentro de esta función pxafb_init_fbinfo, la función pxafb_blank dentro de la estructura &pxafb_ops es capaz de programar trabajo. Si eliminamos el módulo que llamará a pxafb_remove para hacer la limpieza, llamará a la función unregister_framebuffer que puede llamar a do_unregister_framebuffer para liberar fbi->fb a través de put_fb_info(fb_info), mientras que se utilizará el trabajo mencionado anteriormente. La secuencia de operaciones que pueden llevar a un error de UAF es la siguiente: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Solucione el problema asegurándose de cancelar el trabajo antes de continuar con la limpieza en pxafb_remove. Tenga en cuenta que solo el usuario root puede eliminar el controlador en tiempo de ejecución.

21 Oct 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-21 18:15

Updated : 2024-11-08 16:15


NVD link : CVE-2024-49924

Mitre link : CVE-2024-49924

CVE.ORG link : CVE-2024-49924


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free