We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-50061

i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition



AssignerLinux
Reserved2024-10-21
Published2024-10-21
Updated2024-10-22

Description

In the Linux kernel, the following vulnerability has been resolved: i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove.

Product status

Default status
unaffected

1da177e4c3f4 before ea0256e393e0
affected

1da177e4c3f4 before 687016d6a1ef
affected

1da177e4c3f4 before 609366e7a06d
affected

Default status
affected

6.6.57
unaffected

6.11.4
unaffected

6.12-rc1
unaffected

References

https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b

https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5

https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12

cve.org CVE-2024-50061

nvd.nist.gov CVE-2024-50061

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.