ghsa-v977-rccx-6678
Vulnerability from github
Published
2024-09-18 09:30
Modified
2024-09-20 18:32
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

When using kernel with the following extra config,

  • CONFIG_KASAN=y
  • CONFIG_KASAN_GENERIC=y
  • CONFIG_KASAN_INLINE=y
  • CONFIG_KASAN_VMALLOC=y
  • CONFIG_FRAME_WARN=4096

kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug:

[ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330

[ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0

The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-46798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:06Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: dapm: Fix UAF for snd_soc_pcm_runtime object\n\nWhen using kernel with the following extra config,\n\n  - CONFIG_KASAN=y\n  - CONFIG_KASAN_GENERIC=y\n  - CONFIG_KASAN_INLINE=y\n  - CONFIG_KASAN_VMALLOC=y\n  - CONFIG_FRAME_WARN=4096\n\nkernel detects that snd_pcm_suspend_all() access a freed\n\u0027snd_soc_pcm_runtime\u0027 object when the system is suspended, which\nleads to a use-after-free bug:\n\n[   52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270\n[   52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330\n\n[   52.047785] Call trace:\n[   52.047787]  dump_backtrace+0x0/0x3c0\n[   52.047794]  show_stack+0x34/0x50\n[   52.047797]  dump_stack_lvl+0x68/0x8c\n[   52.047802]  print_address_description.constprop.0+0x74/0x2c0\n[   52.047809]  kasan_report+0x210/0x230\n[   52.047815]  __asan_report_load1_noabort+0x3c/0x50\n[   52.047820]  snd_pcm_suspend_all+0x1a8/0x270\n[   52.047824]  snd_soc_suspend+0x19c/0x4e0\n\nThe snd_pcm_sync_stop() has a NULL check on \u0027substream-\u003eruntime\u0027 before\nmaking any access. So we need to always set \u0027substream-\u003eruntime\u0027 to NULL\neverytime we kfree() it.",
  "id": "GHSA-v977-rccx-6678",
  "modified": "2024-09-20T18:32:25Z",
  "published": "2024-09-18T09:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46798"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3033ed903b4f28b5e1ab66042084fbc2c48f8624"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d13afd021eb43868fe03cef6da34ad08831ad6d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a14fad8be178df6c4589667efec1789a3307b4e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ca21e7a27c66b95a4b215edc8e45e5d66679f9f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/993b60c7f93fa1d8ff296b58f646a867e945ae89"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4a90b543d9f62d3ac34ec1ab97fc5334b048565"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe5046ca91d631ec432eee3bdb1f1c49b09c8b5e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.