CVE-2024-50061

In the Linux kernel, the following vulnerability has been resolved: i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

23 Oct 2024, 21:48

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12 - () https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12 - Patch
References () https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5 - () https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5 - Patch
References () https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b - () https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b - Patch
CWE CWE-416
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.0

23 Oct 2024, 15:12

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: i3c: master: cdns: Arreglar la vulnerabilidad de use after free en el controlador cdns_i3c_master debido a la condición de ejecución En la función cdns_i3c_master_probe, &master->hj_work está vinculado con cdns_i3c_master_hj. Y cdns_i3c_master_interrupt puede llamar a la función cnds_i3c_master_demux_ibis para iniciar el trabajo. Si eliminamos el módulo que llamará a cdns_i3c_master_remove para realizar la limpieza, liberará master->base a través de i3c_master_unregister mientras se usará el trabajo mencionado anteriormente. La secuencia de operaciones que pueden provocar un error de UAF es la siguiente: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | Corríjalo asegurándose de que el trabajo se cancele antes de continuar con la limpieza en cdns_i3c_master_remove.

21 Oct 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-21 20:15

Updated : 2024-10-23 21:48


NVD link : CVE-2024-50061

Mitre link : CVE-2024-50061

CVE.ORG link : CVE-2024-50061


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free