Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race ConditionIn the cdns_i3c_master_probe function, &master->hj_work is bound withcdns_i3c_master_hj. And cdns_i3c_master_interrupt can callcnds_i3c_master_demux_ibis function to start the work.If we remove the module which will call cdns_i3c_master_remove tomake cleanup, it will free master->base through i3c_master_unregisterwhile the work mentioned above will be used. The sequence of operationsthat may lead to a UAF bug is as follows:CPU0 CPU1 | cdns_i3c_master_hjcdns_i3c_master_remove |i3c_master_unregister(&master->base) |device_unregister(&master->dev) |device_release |//free master->base | | i3c_master_do_daa(&master->base) | //use master->baseFix it by ensuring that the work is canceled before proceeding withthe cleanup in cdns_i3c_master_remove.
No PoCs from references.
- https://github.com/bygregonline/devsec-fastapi-report
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/runwhen-contrib/helm-charts
- https://github.com/w4zu/Debian_security