{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: pxafb: Fix possible use after free in pxafb_task()\n\nIn the pxafb_probe function, it calls the pxafb_init_fbinfo function,\nafter which &fbi->task is associated with pxafb_task. Moreover,\nwithin this pxafb_init_fbinfo function, the pxafb_blank function\nwithin the &pxafb_ops struct is capable of scheduling work.\n\nIf we remove the module which will call pxafb_remove to make cleanup,\nit will call unregister_framebuffer function which can call\ndo_unregister_framebuffer to free fbi->fb through\nput_fb_info(fb_info), while the work mentioned above will be used.\nThe sequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | pxafb_task\npxafb_remove |\nunregister_framebuffer(info) |\ndo_unregister_framebuffer(fb_info) |\nput_fb_info(fb_info) |\n// free fbi->fb | set_ctrlr_state(fbi, state)\n | __pxafb_lcd_power(fbi, 0)\n | fbi->lcd_power(on, &fbi->fb.var)\n | //use fbi->fb\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in pxafb_remove.\n\nNote that only root user can remove the driver at runtime." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/video/fbdev/pxafb.c" ], "versions": [ { "version": "1da177e4c3f4", "lessThan": "e6897e299f57", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "4cda484e584b", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "3c0d416eb4be", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "fdda354f60a5", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "aaadc0cb05c9", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "a3a855764dba", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "4a6921095eb0", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/video/fbdev/pxafb.c" ], "versions": [ { "version": "5.10.227", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.168", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.1.113", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.6.55", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.10.14", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.11.3", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.12-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae" }, { "url": "https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a" }, { "url": "https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd" }, { "url": "https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370" }, { "url": "https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08" }, { "url": "https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e" }, { "url": "https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e" } ], "title": "fbdev: pxafb: Fix possible use after free in pxafb_task()", "x_generator": { "engine": "bippy-c9c4e1df01b2" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2024-49924", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }