{"uuid": "3715dbfc-a189-4c0c-a217-44a326d4334f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-50061", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/4893", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-50061\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition\n\nIn the cdns_i3c_master_probe function, &master->hj_work is bound with\ncdns_i3c_master_hj. And cdns_i3c_master_interrupt can call\ncnds_i3c_master_demux_ibis function to start the work.\n\nIf we remove the module which will call cdns_i3c_master_remove to\nmake cleanup, it will free master->base through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | cdns_i3c_master_hj\ncdns_i3c_master_remove |\ni3c_master_unregister(&master->base) |\ndevice_unregister(&master->dev) |\ndevice_release |\n//free master->base |\n | i3c_master_do_daa(&master->base)\n | //use master->base\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in cdns_i3c_master_remove.\n\ud83d\udccf Published: 2024-10-21T19:39:50.415Z\n\ud83d\udccf Modified: 2025-02-21T13:45:14.131Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/2a21bad9964c91b34d65ba269914233720c0b1ce\n2. https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b\n3. https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5\n4. https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12", "creation_timestamp": "2025-02-21T14:18:31.000000Z"}