CVE-2024-49874

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-49874
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49874.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-49874
Downstream
Related
Published
2024-10-21T18:01:14Z
Modified
2025-10-15T16:49:46.953267Z
Summary
i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition
Details

In the Linux kernel, the following vulnerability has been resolved:

i3c: master: svc: Fix use after free vulnerability in svci3cmaster Driver Due to Race Condition

In the svci3cmasterprobe function, &master->hjwork is bound with svci3cmasterhjwork, &master->ibiwork is bound with svci3cmasteribiwork. And svci3cmasteribiwork can start the hjwork, svci3cmasterirqhandler can start the ibi_work.

If we remove the module which will call svci3cmasterremove to make cleanup, it will free master->base through i3cmaster_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                                | svc_i3c_master_hj_work

svci3cmasterremove | i3cmasterunregister(&master->base)| deviceunregister(&master->dev) | devicerelease | //free master->base | | i3cmasterdodaa(&master->base) | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the cleanup in svci3cmaster_remove.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
87e0f28eda36c7843523aa8dd0c5dab3331e9718
Fixed
56bddf543d4d7ddeff3f87b554ddacfdf086bffe
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7
Fixed
4ac637122930cc4ab7e2c22e364cf3aaf96b05b1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7
Fixed
4318998892bf8fe99f97bea18c37ae7b685af75a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7
Fixed
27b55724d3f781dd6e635e89dc6e2fd78fa81a00
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7
Fixed
61850725779709369c7e907ae8c7c75dc7cec4f3

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.13
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.3
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2024-49874-78fd2aff",
            "signature_type": "Line",
            "target": {
                "file": "drivers/i3c/master/svc-i3c-master.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "305332054609222264757079223340452996073",
                    "201032073115062260719368493882519536530",
                    "70606614684647688786454425219541058342"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56bddf543d4d7ddeff3f87b554ddacfdf086bffe"
        },
        {
            "id": "CVE-2024-49874-c59c1173",
            "signature_type": "Function",
            "target": {
                "file": "drivers/i3c/master/svc-i3c-master.c",
                "function": "svc_i3c_master_remove"
            },
            "signature_version": "v1",
            "digest": {
                "length": 178.0,
                "function_hash": "244370420548098976851651582795020009588"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56bddf543d4d7ddeff3f87b554ddacfdf086bffe"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.55
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.10.14
Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.3