CVE-2024-26654

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs<br /> <br /> The dreamcastcard-&gt;timer could schedule the spu_dma_work and the<br /> spu_dma_work could also arm the dreamcastcard-&gt;timer.<br /> <br /> When the snd_pcm_substream is closing, the aica_channel will be<br /> deallocated. But it could still be dereferenced in the worker<br /> thread. The reason is that del_timer() will return directly<br /> regardless of whether the timer handler is running or not and<br /> the worker could be rescheduled in the timer handler. As a result,<br /> the UAF bug will happen. The racy situation is shown below:<br /> <br /> (Thread 1) | (Thread 2)<br /> snd_aicapcm_pcm_close() |<br /> ... | run_spu_dma() //worker<br /> | mod_timer()<br /> flush_work() |<br /> del_timer() | aica_period_elapsed() //timer<br /> kfree(dreamcastcard-&gt;channel) | schedule_work()<br /> | run_spu_dma() //worker<br /> ... | dreamcastcard-&gt;channel-&gt; //USE<br /> <br /> In order to mitigate this bug and other possible corner cases,<br /> call mod_timer() conditionally in run_spu_dma(), then implement<br /> PCM sync_stop op to cancel both the timer and worker. The sync_stop<br /> op will be called from PCM core appropriately when needed.