Cyber Posture

CVE-2024-57984

High

Published: 27 February 2025

Published
27 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 3.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition In dw_i3c_common_probe, &master->hj_work is bound with dw_i3c_hj_work. And dw_i3c_master_irq_handler can call dw_i3c_master_irq_handle_ibis function to start the work. If we remove the module which will call dw_i3c_common_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | dw_i3c_hj_work dw_i3c_common_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in dw_i3c_common_remove.

Security Summary

CVE-2024-57984 is a use-after-free vulnerability in the Linux kernel's dw_i3c_master driver within the I3C subsystem. The issue arises from a race condition during module removal: in dw_i3c_common_probe, the master->hj_work is queued with dw_i3c_hj_work, and the dw_i3c_master_irq_handler can trigger it via dw_i3c_master_irq_handle_ibis. If the module is unloaded via dw_i3c_common_remove, it calls i3c_master_unregister and device_unregister, freeing master->base while the work item may still execute and access it, such as in i3c_master_do_daa.

A local attacker with low privileges can exploit this vulnerability, as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation requires triggering the race condition between IRQ handling and module cleanup, potentially allowing arbitrary code execution, data corruption, or denial of service through the use-after-free on the freed master->base structure (CWE-416).

The provided kernel patch references detail the mitigation: commits in the stable kernel repository (e.g., 60d2fb033a99, 9b0063098fcd) fix the issue by canceling the hj_work before proceeding with cleanup in dw_i3c_common_remove, preventing the use-after-free during the race. Systems should apply these upstream stable kernel updates to affected versions.

Details

CWE(s)
CWE-416

Affected Products

linux
linux kernel
5.0 — 6.6.76 · 6.7 — 6.12.13 · 6.13 — 6.13.2

References