CVE - CVE-2024-38605

CVE-ID
CVE-2024-38605	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: core: Fix NULL module pointer assignment at card init The commit 81033c6b584b ("ALSA: core: Warn on empty module") introduced a WARN_ON() for a NULL module pointer passed at snd_card object creation, and it also wraps the code around it with '#ifdef MODULE'. This works in most cases, but the devils are always in details. "MODULE" is defined when the target code (i.e. the sound core) is built as a module; but this doesn't mean that the caller is also built-in or not. Namely, when only the sound core is built-in (CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m), the passed module pointer is ignored even if it's non-NULL, and card->module remains as NULL. This would result in the missing module reference up/down at the device open/close, leading to a race with the code execution after the module removal. For addressing the bug, move the assignment of card->module again out of ifdef. The WARN_ON() is still wrapped with ifdef because the module can be really NULL when all sound drivers are built-in. Note that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would lead to a false-positive NULL module check. Admittedly it won't catch perfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no real problem as it's only for debugging, and the condition is pretty rare.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1 URL:https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1 MISC:https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12 URL:https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12 MISC:https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5 URL:https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5 MISC:https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434 URL:https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434 MISC:https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e URL:https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e MISC:https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92 URL:https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92 MISC:https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811 URL:https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811
Assigning CNA
kernel.org
Date Record Created
20240618	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240618)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)