CVE-2024-50061

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-50061
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50061.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50061
Downstream
Related
Published
2024-10-21T19:39:50.415Z
Modified
2026-03-20T12:39:34.780786Z
Summary
i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
Details

In the Linux kernel, the following vulnerability has been resolved:

i3c: master: cdns: Fix use after free vulnerability in cdnsi3cmaster Driver Due to Race Condition

In the cdnsi3cmasterprobe function, &master->hjwork is bound with cdnsi3cmasterhj. And cdnsi3cmasterinterrupt can call cndsi3cmasterdemuxibis function to start the work.

If we remove the module which will call cdnsi3cmasterremove to make cleanup, it will free master->base through i3cmaster_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                                 | cdns_i3c_master_hj

cdnsi3cmasterremove | i3cmasterunregister(&master->base) | deviceunregister(&master->dev) | devicerelease | //free master->base | | i3cmasterdodaa(&master->base) | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdnsi3cmaster_remove.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50061.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Fixed
2a21bad9964c91b34d65ba269914233720c0b1ce
Fixed
ea0256e393e0072e8c80fd941547807f0c28108b
Fixed
687016d6a1efbfacdd2af913e2108de6b75a28d5
Fixed
609366e7a06d035990df78f1562291c3bf0d4a12

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50061.json"