In the Linux kernel, the following vulnerability has been resolved:
greybus: Fix use-after-free bug in gb_interface_release due to race condition.
In gb_interface_create, &intf->mode_switch_completion is bound with
gb_interface_mode_switch_work. Then it will be started by
gb_interface_request_mode_switch. Here is the relevant code.
if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
...
}
If we call gb_interface_release to make cleanup, there may be an
unfinished work. This function will call kfree to free the object
"intf". However, if gb_interface_mode_switch_work is scheduled to
run after kfree, it may cause use-after-free error as
gb_interface_mode_switch_work will use the object "intf".
The possible execution flow that may lead to the issue is as follows:
CPU0 CPU1
| gb_interface_create
| gb_interface_request_mode_switch
gb_interface_release |
kfree(intf) (free) |
| gb_interface_mode_switch_work
| mutex_lock(&intf->mutex) (use)
Fix it by canceling the work before kfree.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Linux |
|
Configuration 1 [-]
|
No data.
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2024-07-12T12:20:31.022Z
Updated: 2024-08-20T14:16:51.245Z
Reserved: 2024-06-25T14:23:23.751Z
Link: CVE-2024-39495
Vulnrichment
Updated: 2024-08-02T04:26:15.499Z
NVD
Status : Modified
Published: 2024-07-12T13:15:12.183
Modified: 2024-08-20T15:35:19.527
Link: CVE-2024-39495
Redhat