AZL-51237

See a problem?
Import Source
https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-51237.json
JSON Data
https://api.test.osv.dev/v1/vulns/AZL-51237
Upstream
Published
2024-10-21T18:15:08Z
Modified
2026-04-01T05:16:24.194322Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CVE-2024-49874 affecting package kernel for versions less than 6.6.56.1-5
Details

In the Linux kernel, the following vulnerability has been resolved:

i3c: master: svc: Fix use after free vulnerability in svci3cmaster Driver Due to Race Condition

In the svci3cmasterprobe function, &master->hjwork is bound with svci3cmasterhjwork, &master->ibiwork is bound with svci3cmasteribiwork. And svci3cmasteribiwork can start the hjwork, svci3cmasterirqhandler can start the ibi_work.

If we remove the module which will call svci3cmasterremove to make cleanup, it will free master->base through i3cmaster_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                                | svc_i3c_master_hj_work

svci3cmasterremove | i3cmasterunregister(&master->base)| deviceunregister(&master->dev) | devicerelease | //free master->base | | i3cmasterdodaa(&master->base) | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the cleanup in svci3cmaster_remove.

References

Affected packages

Azure Linux:3 / kernel

Package

Name
kernel
Purl
pkg:rpm/azure-linux/kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.56.1-5

Database specific

source 
"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-51237.json"