CVE-2024-46798

EPSS 0.03%
Published 18.09.2024 08:15:06
Last modified 03.11.2025 23:16:02
Source 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Open
Login

In the Linux kernel, the following vulnerability has been resolved:

ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

When using kernel with the following extra config,

  - CONFIG_KASAN=y
  - CONFIG_KASAN_GENERIC=y
  - CONFIG_KASAN_INLINE=y
  - CONFIG_KASAN_VMALLOC=y
  - CONFIG_FRAME_WARN=4096

kernel detects that snd_pcm_suspend_all() access a freed
'snd_soc_pcm_runtime' object when the system is suspended, which
leads to a use-after-free bug:

[   52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
[   52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330

[   52.047785] Call trace:
[   52.047787]  dump_backtrace+0x0/0x3c0
[   52.047794]  show_stack+0x34/0x50
[   52.047797]  dump_stack_lvl+0x68/0x8c
[   52.047802]  print_address_description.constprop.0+0x74/0x2c0
[   52.047809]  kasan_report+0x210/0x230
[   52.047815]  __asan_report_load1_noabort+0x3c/0x50
[   52.047820]  snd_pcm_suspend_all+0x1a8/0x270
[   52.047824]  snd_soc_suspend+0x19c/0x4e0

The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
making any access. So we need to always set 'substream->runtime' to NULL
everytime we kfree() it.

Affected products Warnungen 0 Metrics 2 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 5.4 < 5.4.284

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.226

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.167

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.110

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.51

Linux ≫ Linux Kernel Version >= 6.7 < 6.10.10

Linux ≫ Linux Kernel Version6.11 Updaterc1

Linux ≫ Linux Kernel Version6.11 Updaterc2

Linux ≫ Linux Kernel Version6.11 Updaterc3

Linux ≫ Linux Kernel Version6.11 Updaterc4

Linux ≫ Linux Kernel Version6.11 Updaterc5

Linux ≫ Linux Kernel Version6.11 Updaterc6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.058

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/3033ed903b4f28b5e1ab66042084fbc2c48f8624

Patch

https://git.kernel.org/stable/c/5d13afd021eb43868fe03cef6da34ad08831ad6d

Patch

https://git.kernel.org/stable/c/6a14fad8be178df6c4589667efec1789a3307b4e

Patch

https://git.kernel.org/stable/c/8ca21e7a27c66b95a4b215edc8e45e5d66679f9f

Patch

https://git.kernel.org/stable/c/993b60c7f93fa1d8ff296b58f646a867e945ae89

Patch

https://git.kernel.org/stable/c/b4a90b543d9f62d3ac34ec1ab97fc5334b048565

Patch