CVE-2024-49924

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: pxafb: Fix possible use after free in pxafb_task()<br /> <br /> In the pxafb_probe function, it calls the pxafb_init_fbinfo function,<br /> after which &amp;fbi-&gt;task is associated with pxafb_task. Moreover,<br /> within this pxafb_init_fbinfo function, the pxafb_blank function<br /> within the &amp;pxafb_ops struct is capable of scheduling work.<br /> <br /> If we remove the module which will call pxafb_remove to make cleanup,<br /> it will call unregister_framebuffer function which can call<br /> do_unregister_framebuffer to free fbi-&gt;fb through<br /> put_fb_info(fb_info), while the work mentioned above will be used.<br /> The sequence of operations that may lead to a UAF bug is as follows:<br /> <br /> CPU0 CPU1<br /> <br /> | pxafb_task<br /> pxafb_remove |<br /> unregister_framebuffer(info) |<br /> do_unregister_framebuffer(fb_info) |<br /> put_fb_info(fb_info) |<br /> // free fbi-&gt;fb | set_ctrlr_state(fbi, state)<br /> | __pxafb_lcd_power(fbi, 0)<br /> | fbi-&gt;lcd_power(on, &amp;fbi-&gt;fb.var)<br /> | //use fbi-&gt;fb<br /> <br /> Fix it by ensuring that the work is canceled before proceeding<br /> with the cleanup in pxafb_remove.<br /> <br /> Note that only root user can remove the driver at runtime.