{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition\n\nIn the cdns_i3c_master_probe function, &master->hj_work is bound with\ncdns_i3c_master_hj. And cdns_i3c_master_interrupt can call\ncnds_i3c_master_demux_ibis function to start the work.\n\nIf we remove the module which will call cdns_i3c_master_remove to\nmake cleanup, it will free master->base through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | cdns_i3c_master_hj\ncdns_i3c_master_remove |\ni3c_master_unregister(&master->base) |\ndevice_unregister(&master->dev) |\ndevice_release |\n//free master->base |\n | i3c_master_do_daa(&master->base)\n | //use master->base\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in cdns_i3c_master_remove." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/i3c/master/i3c-master-cdns.c" ], "versions": [ { "version": "1da177e4c3f4", "lessThan": "ea0256e393e0", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "687016d6a1ef", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "609366e7a06d", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/i3c/master/i3c-master-cdns.c" ], "versions": [ { "version": "6.6.57", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.11.4", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.12-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b" }, { "url": "https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5" }, { "url": "https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12" } ], "title": "i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition", "x_generator": { "engine": "bippy-c9c4e1df01b2" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2024-50061", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }