CVE-2024-38385

In the Linux kernel, the following vulnerability has been resolved:

genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()

irq_find_at_or_after() dereferences the interrupt descriptor which is returned by mt_find() while neither holding sparse_irq_lock nor RCU read lock, which means the descriptor can be freed between mt_find() and the dereference:

CPU0                            CPU1
desc = mt_find()
                                delayed_free_desc(desc)
irq_desc_get_irq(desc)

The use-after-free is reported by KASAN:

Call trace:
 irq_get_next_irq+0x58/0x84
 show_stat+0x638/0x824
 seq_read_iter+0x158/0x4ec
 proc_reg_read_iter+0x94/0x12c
 vfs_read+0x1e0/0x2c8

Freed by task 4471:
 slab_free_freelist_hook+0x174/0x1e0
 __kmem_cache_free+0xa4/0x1dc
 kfree+0x64/0x128
 irq_kobj_release+0x28/0x3c
 kobject_put+0xcc/0x1e0
 delayed_free_desc+0x14/0x2c
 rcu_do_batch+0x214/0x720

Guard the access with a RCU read lock section.

Weakness

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.

Affected Software

Potential Mitigations

References

• https://git.kernel.org/stable/c/1c7891812d85500ae2ca4051fa5683fcf29930d8
• https://git.kernel.org/stable/c/b84a8aba806261d2f759ccedf4a2a6a80a5e55ba
• https://git.kernel.org/stable/c/d084aa022f84319f8079e30882cbcbc026af9f21
• https://git.kernel.org/stable/c/1c7891812d85500ae2ca4051fa5683fcf29930d8
• https://git.kernel.org/stable/c/b84a8aba806261d2f759ccedf4a2a6a80a5e55ba
• https://git.kernel.org/stable/c/d084aa022f84319f8079e30882cbcbc026af9f21