CVE-2024-50061

{"id": "CVE-2024-50061", "cveTags": [], "metrics": {}, "published": "2024-10-21T20:15:18.210", "references": [{"url": "https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition\n\nIn the cdns_i3c_master_probe function, &master->hj_work is bound with\ncdns_i3c_master_hj. And cdns_i3c_master_interrupt can call\ncnds_i3c_master_demux_ibis function to start the work.\n\nIf we remove the module which will call cdns_i3c_master_remove to\nmake cleanup, it will free master->base through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | cdns_i3c_master_hj\ncdns_i3c_master_remove |\ni3c_master_unregister(&master->base) |\ndevice_unregister(&master->dev) |\ndevice_release |\n//free master->base |\n | i3c_master_do_daa(&master->base)\n | //use master->base\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in cdns_i3c_master_remove."}], "lastModified": "2024-10-21T20:15:18.210", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}