CVE - CVE-2024-26654

CVE-ID
CVE-2024-26654	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs The dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work could also arm the dreamcastcard->timer. When the snd_pcm_substream is closing, the aica_channel will be deallocated. But it could still be dereferenced in the worker thread. The reason is that del_timer() will return directly regardless of whether the timer handler is running or not and the worker could be rescheduled in the timer handler. As a result, the UAF bug will happen. The racy situation is shown below: (Thread 1) \| (Thread 2) snd_aicapcm_pcm_close() \| ... \| run_spu_dma() //worker \| mod_timer() flush_work() \| del_timer() \| aica_period_elapsed() //timer kfree(dreamcastcard->channel) \| schedule_work() \| run_spu_dma() //worker ... \| dreamcastcard->channel-> //USE In order to mitigate this bug and other possible corner cases, call mod_timer() conditionally in run_spu_dma(), then implement PCM sync_stop op to cancel both the timer and worker. The sync_stop op will be called from PCM core appropriately when needed.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457 URL:https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457 MISC:https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04 URL:https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04 MISC:https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2 URL:https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2 MISC:https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901 URL:https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901 MISC:https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5 URL:https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5 MISC:https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046 URL:https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046 MISC:https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845 URL:https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845 MISC:https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3 URL:https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3 MISC:https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2 URL:https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2
Assigning CNA
kernel.org
Date Record Created
20240219	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240219)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)