CVE-2024-38600

ALSA: Fix deadlocks with kctl removals at disconnection

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ALSA: Fix deadlocks with kctl removals at disconnection

In snd_card_disconnect(), we set card->shutdown flag at the beginning,
call callbacks and do sync for card->power_ref_sleep waiters at the
end. The callback may delete a kctl element, and this can lead to a
deadlock when the device was in the suspended state. Namely:

* A process waits for the power up at snd_power_ref_and_wait() in
snd_ctl_info() or read/write() inside card->controls_rwsem.

* The system gets disconnected meanwhile, and the driver tries to
delete a kctl via snd_ctl_remove*(); it tries to take
card->controls_rwsem again, but this is already locked by the
above. Since the sleeper isn't woken up, this deadlocks.

An easy fix is to wake up sleepers before processing the driver
disconnect callbacks but right after setting the card->shutdown flag.
Then all sleepers will abort immediately, and the code flows again.

So, basically this patch moves the wait_event() call at the right
timing. While we're at it, just to be sure, call wait_event_all()
instead of wait_event(), although we don't use exclusive events on
this queue for now.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: soluciona interbloqueos con eliminaciones de kctl al desconectar fin. La devolución de llamada puede eliminar un elemento kctl y esto puede provocar un punto muerto cuando el dispositivo estaba en estado suspendido. Es decir: * Un proceso espera el encendido en snd_power_ref_and_wait() en snd_ctl_info() o lectura/escritura() dentro de card->controls_rwsem. * Mientras tanto, el sistema se desconecta y el controlador intenta eliminar un kctl mediante snd_ctl_remove*(); intenta tomar card->controls_rwsem nuevamente, pero esto ya está bloqueado por lo anterior. Como el durmiente no se despierta, esto se bloquea. Una solución fácil es despertar a los durmientes antes de procesar las devoluciones de llamada de desconexión del controlador, pero justo después de configurar la tarjeta->indicador de apagado. Entonces todos los durmientes abortarán inmediatamente y el código fluirá nuevamente. Básicamente, este parche mueve la llamada wait_event() en el momento adecuado. Mientras estamos en esto, solo para estar seguros, llame a wait_event_all() en lugar de wait_event(), aunque no usamos eventos exclusivos en esta cola por ahora.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-18 CVE Reserved
2024-06-19 CVE Published
2024-08-28 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7	2024-06-16
https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a	2024-06-12
https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68	2024-06-12
https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7	2024-05-30
https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4	2024-05-30
https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c	2024-05-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.161 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.161"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.93 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.93"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.33 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.33"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.8.12 Search vendor "Linux" for product "Linux Kernel" and version " < 6.8.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.9.3 Search vendor "Linux" for product "Linux Kernel" and version " < 6.9.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.10 Search vendor "Linux" for product "Linux Kernel" and version " < 6.10"		en		Affected