cve/2024/CVE-2024-50061.md

### [CVE-2024-50061](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50061)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0%3C%202a21bad9964c91b34d65ba269914233720c0b1ce%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race ConditionIn the cdns_i3c_master_probe function, &master->hj_work is bound withcdns_i3c_master_hj. And cdns_i3c_master_interrupt can callcnds_i3c_master_demux_ibis function to start the work.If we remove the module which will call cdns_i3c_master_remove tomake cleanup, it will free master->base through i3c_master_unregisterwhile the work mentioned above will be used. The sequence of operationsthat may lead to a UAF bug is as follows:CPU0                                      CPU1                                     | cdns_i3c_master_hjcdns_i3c_master_remove               |i3c_master_unregister(&master->base) |device_unregister(&master->dev)      |device_release                       |//free master->base                  |                                     | i3c_master_do_daa(&master->base)                                     | //use master->baseFix it by ensuring that the work is canceled before proceeding withthe cleanup in cdns_i3c_master_remove.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/bygregonline/devsec-fastapi-report