{"id":"CVE-2024-26654","summary":"ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard-\u003etimer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard-\u003etimer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n      (Thread 1)                 |      (Thread 2)\nsnd_aicapcm_pcm_close()          |\n ...                             |  run_spu_dma() //worker\n                                 |    mod_timer()\n  flush_work()                   |\n  del_timer()                    |  aica_period_elapsed() //timer\n  kfree(dreamcastcard-\u003echannel)  |    schedule_work()\n                                 |  run_spu_dma() //worker\n  ...                            |    dreamcastcard-\u003echannel-\u003e //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.","modified":"2026-04-02T10:05:14.008927Z","published":"2024-04-01T08:35:19.763Z","related":["MGASA-2024-0141","MGASA-2024-0142","SUSE-SU-2024:1466-1","SUSE-SU-2024:1480-1","SUSE-SU-2024:1490-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26654.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26654.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26654"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"198de43d758ca2700e2b52b49c0b189b4931466c"},{"fixed":"eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2"},{"fixed":"4206ad65a0ee76920041a755bd3c17c6ba59bba2"},{"fixed":"aa39e6878f61f50892ee2dd9d2176f72020be845"},{"fixed":"8c990221681688da34295d6d76cc2f5b963e83f5"},{"fixed":"9d66ae0e7bb78b54e1e0525456c6b54e1d132046"},{"fixed":"61d4787692c1fccdc268ffa7a891f9c149f50901"},{"fixed":"e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3"},{"fixed":"3c907bf56905de7d27b329afaf59c2fb35d17b04"},{"fixed":"051e0840ffa8ab25554d6b14b62c9ab9e4901457"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26654.json"}}],"schema_version":"1.7.5"}