CVE-2024-26654 - Fixing a Use-After-Free Bug in the Linux Kernel's ALSA Subsystem with Proper Cleanup Reordering

A vulnerability, CVE-2024-26654, was found in the Linux kernel's ALSA (Advanced Linux Sound Architecture) subsystem related to a Use-After-Free (UAF) bug. The vulnerability was present in the "aica" (Audio Infrastructure for Cooperative Applications) module, which is specific to the SH (SuperH) architecture. The detection and resolution of this bug involved proper ordering of cleanup operations and synchronizing resource deallocations to avoid race conditions.

Details

A Use-After-Free bug occurs when memory is accessed after it had already been released, leading to potential crashes, data corruption, or even arbitrary code execution. This vulnerability was discovered in the aica module, where a race condition existed between a worker thread (run_spu_dma()) and the timer (aica_period_elapsed()).

The core issue is that when snd_aicapcm_pcm_close() is called, it deallocates the dreamcastcard->channel. However, the worker thread could still be running and dereference this channel, which results in the UAF bug. The flow of the issue is as follows:

(Thread 1)                 |      (Thread 2)
snd_aicapcm_pcm_close()    |  
...                         |  run_spu_dma() //worker
                           |    mod_timer()
flush_work()               |
del_timer()                |  aica_period_elapsed() //timer
kfree(dreamcastcard->channel) |    schedule_work()
                           |  run_spu_dma() //worker
...                         |    dreamcastcard->channel-> //USE

Resolution

To address this issue, several modifications were made in the code. First, it was necessary to call mod_timer() conditionally in the run_spu_dma() function. Secondly, the PCM (Pulse Code Modulation) sync_stop operation was implemented to cancel both the timer and worker. The sync_stop operation will be called from the PCM core when needed.

These changes led to a more secure and stable subsystem with proper synchronization and cleanup. This resolution helps prevent potential crashes, data corruption, and security breaches associated with the UAF bug.

Original References

- ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
- Linux kernel source code

Conclusion

CVE-2024-26654 is a vulnerability found in the Linux kernel's ALSA subsystem, specifically in the aica module. This Use-After-Free bug was resolved by reordering cleanup operations and implementing the PCM sync_stop operation to cancel both the timer and worker. As a result, the ALSA subsystem became more secure, stable, and resistant to race conditions.

Timeline

Published on: 04/01/2024 09:15:51 UTC
Last modified on: 06/25/2024 21:15:58 UTC