// For flags

CVE-2024-38600

ALSA: Fix deadlocks with kctl removals at disconnection

Severity Score

4.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ALSA: Fix deadlocks with kctl removals at disconnection

In snd_card_disconnect(), we set card->shutdown flag at the beginning,
call callbacks and do sync for card->power_ref_sleep waiters at the
end. The callback may delete a kctl element, and this can lead to a
deadlock when the device was in the suspended state. Namely:

* A process waits for the power up at snd_power_ref_and_wait() in
snd_ctl_info() or read/write() inside card->controls_rwsem.

* The system gets disconnected meanwhile, and the driver tries to
delete a kctl via snd_ctl_remove*(); it tries to take
card->controls_rwsem again, but this is already locked by the
above. Since the sleeper isn't woken up, this deadlocks.

An easy fix is to wake up sleepers before processing the driver
disconnect callbacks but right after setting the card->shutdown flag.
Then all sleepers will abort immediately, and the code flows again.

So, basically this patch moves the wait_event() call at the right
timing. While we're at it, just to be sure, call wait_event_all()
instead of wait_event(), although we don't use exclusive events on
this queue for now.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: soluciona interbloqueos con eliminaciones de kctl al desconectar fin. La devolución de llamada puede eliminar un elemento kctl y esto puede provocar un punto muerto cuando el dispositivo estaba en estado suspendido. Es decir: * Un proceso espera el encendido en snd_power_ref_and_wait() en snd_ctl_info() o lectura/escritura() dentro de card->controls_rwsem. * Mientras tanto, el sistema se desconecta y el controlador intenta eliminar un kctl mediante snd_ctl_remove*(); intenta tomar card->controls_rwsem nuevamente, pero esto ya está bloqueado por lo anterior. Como el durmiente no se despierta, esto se bloquea. Una solución fácil es despertar a los durmientes antes de procesar las devoluciones de llamada de desconexión del controlador, pero justo después de configurar la tarjeta->indicador de apagado. Entonces todos los durmientes abortarán inmediatamente y el código fluirá nuevamente. Básicamente, este parche mueve la llamada wait_event() en el momento adecuado. Mientras estamos en esto, solo para estar seguros, llame a wait_event_all() en lugar de wait_event(), aunque no usamos eventos exclusivos en esta cola por ahora.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-06-18 CVE Reserved
  • 2024-06-19 CVE Published
  • 2024-08-28 EPSS Updated
  • 2024-11-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-833: Deadlock
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 5.15.161
Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.161"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.1.93
Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.93"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.6.33
Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.33"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.8.12
Search vendor "Linux" for product "Linux Kernel" and version " < 6.8.12"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.9.3
Search vendor "Linux" for product "Linux Kernel" and version " < 6.9.3"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.10
Search vendor "Linux" for product "Linux Kernel" and version " < 6.10"
en
Affected