In the Linux kernel, the following vulnerability has been resolved: ALSA:
sh: aica: reorder cleanup operations to avoid UAF bugs The
dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work
could also arm the dreamcastcard->timer. When the snd_pcm_substream is
closing, the aica_channel will be deallocated. But it could still be
dereferenced in the worker thread. The reason is that del_timer() will
return directly regardless of whether the timer handler is running or not
and the worker could be rescheduled in the timer handler. As a result, the
UAF bug will happen. The racy situation is shown below: (Thread 1) |
(Thread 2) snd_aicapcm_pcm_close() | … | run_spu_dma() //worker |
mod_timer() flush_work() | del_timer() | aica_period_elapsed() //timer
kfree(dreamcastcard->channel) | schedule_work() | run_spu_dma() //worker
… | dreamcastcard->channel-> //USE In order to mitigate this bug and
other possible corner cases, call mod_timer() conditionally in
run_spu_dma(), then implement PCM sync_stop op to cancel both the timer and
worker. The sync_stop op will be called from PCM core appropriately when
needed.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-35.35 | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/051e0840ffa8ab25554d6b14b62c9ab9e4901457 (6.9-rc2)
git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457
launchpad.net/bugs/cve/CVE-2024-26654
nvd.nist.gov/vuln/detail/CVE-2024-26654
security-tracker.debian.org/tracker/CVE-2024-26654
ubuntu.com/security/notices/USN-6816-1
ubuntu.com/security/notices/USN-6817-1
ubuntu.com/security/notices/USN-6817-2
ubuntu.com/security/notices/USN-6817-3
www.cve.org/CVERecord?id=CVE-2024-26654