vulnerability

Ubuntu: (Multiple Advisories) (CVE-2024-43900): Linux kernel vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:L/AC:L/Au:S/C:C/I:C/A:C)	Aug 26, 2024	Dec 13, 2024	Aug 18, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:C/I:C/A:C)

Published

Aug 26, 2024

Added

Dec 13, 2024

Modified

Aug 18, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

media: xc2028: avoid use-after-free in load_firmware_cb()

syzkaller reported use-after-free in load_firmware_cb() [1].
The reason is because the module allocated a struct tuner in tuner_probe(),
and then the module initialization failed, the struct tuner was released.
A worker which created during module initialization accesses this struct
tuner later, it caused use-after-free.

The process is as follows:

task-6504 worker_thread
tuner_probe <= alloc dvb_frontend [2]
...
request_firmware_nowait <= create a worker
...
tuner_remove <= free dvb_frontend
...
request_firmware_work_func <= the firmware is ready
load_firmware_cb <= but now the dvb_frontend has been freed

To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
null, report a warning and just return.

[1]:
==================================================================
BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504

Call trace:
load_firmware_cb+0x1310/0x17a0
request_firmware_work_func+0x128/0x220
process_one_work+0x770/0x1824
worker_thread+0x488/0xea0
kthread+0x300/0x430
ret_from_fork+0x10/0x20

Allocated by task 6504:
kzalloc
tuner_probe+0xb0/0x1430
i2c_device_probe+0x92c/0xaf0
really_probe+0x678/0xcd0
driver_probe_device+0x280/0x370
__device_attach_driver+0x220/0x330
bus_for_each_drv+0x134/0x1c0
__device_attach+0x1f4/0x410
device_initial_probe+0x20/0x30
bus_probe_device+0x184/0x200
device_add+0x924/0x12c0
device_register+0x24/0x30
i2c_new_device+0x4e0/0xc44
v4l2_i2c_new_subdev_board+0xbc/0x290
v4l2_i2c_new_subdev+0xc8/0x104
em28xx_v4l2_init+0x1dd0/0x3770

Freed by task 6504:
kfree+0x238/0x4e4
tuner_remove+0x144/0x1c0
i2c_device_remove+0xc8/0x290
__device_release_driver+0x314/0x5fc
device_release_driver+0x30/0x44
bus_remove_device+0x244/0x490
device_del+0x350/0x900
device_unregister+0x28/0xd0
i2c_unregister_device+0x174/0x1d0
v4l2_device_unregister+0x224/0x380
em28xx_v4l2_init+0x1d90/0x3770

The buggy address belongs to the object at ffff8000d7ca2000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 776 bytes inside of
2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
The buggy address belongs to the page:
page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
flags: 0x7ff800000000100(slab)
raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[2]
Actually, it is allocated for struct tuner, and dvb_frontend is inside.

Solutions

ubuntu-upgrade-linux-image-3-13-0-204-genericubuntu-upgrade-linux-image-3-13-0-204-lowlatencyubuntu-upgrade-linux-image-4-15-0-1140-oracleubuntu-upgrade-linux-image-4-15-0-1161-kvmubuntu-upgrade-linux-image-4-15-0-1171-gcpubuntu-upgrade-linux-image-4-15-0-1178-awsubuntu-upgrade-linux-image-4-15-0-1186-azureubuntu-upgrade-linux-image-4-15-0-235-genericubuntu-upgrade-linux-image-4-15-0-235-lowlatencyubuntu-upgrade-linux-image-4-4-0-1141-awsubuntu-upgrade-linux-image-4-4-0-1142-kvmubuntu-upgrade-linux-image-4-4-0-1179-awsubuntu-upgrade-linux-image-4-4-0-266-genericubuntu-upgrade-linux-image-4-4-0-266-lowlatencyubuntu-upgrade-linux-image-5-15-0-1021-nvidia-tegra-igxubuntu-upgrade-linux-image-5-15-0-1021-nvidia-tegra-igx-rtubuntu-upgrade-linux-image-5-15-0-1033-nvidia-tegraubuntu-upgrade-linux-image-5-15-0-1033-nvidia-tegra-rtubuntu-upgrade-linux-image-5-15-0-1044-xilinx-zynqmpubuntu-upgrade-linux-image-5-15-0-1062-gkeopubuntu-upgrade-linux-image-5-15-0-1072-ibmubuntu-upgrade-linux-image-5-15-0-1073-intel-iot-realtimeubuntu-upgrade-linux-image-5-15-0-1074-ibmubuntu-upgrade-linux-image-5-15-0-1074-nvidiaubuntu-upgrade-linux-image-5-15-0-1074-nvidia-lowlatencyubuntu-upgrade-linux-image-5-15-0-1074-raspiubuntu-upgrade-linux-image-5-15-0-1075-intel-iotgubuntu-upgrade-linux-image-5-15-0-1076-kvmubuntu-upgrade-linux-image-5-15-0-1077-gkeubuntu-upgrade-linux-image-5-15-0-1077-intel-iotgubuntu-upgrade-linux-image-5-15-0-1077-oracleubuntu-upgrade-linux-image-5-15-0-1079-gcpubuntu-upgrade-linux-image-5-15-0-1079-gcp-fipsubuntu-upgrade-linux-image-5-15-0-1080-awsubuntu-upgrade-linux-image-5-15-0-1080-aws-fipsubuntu-upgrade-linux-image-5-15-0-1080-realtimeubuntu-upgrade-linux-image-5-15-0-1081-gcpubuntu-upgrade-linux-image-5-15-0-1083-azure-fipsubuntu-upgrade-linux-image-5-15-0-1084-azureubuntu-upgrade-linux-image-5-15-0-1086-azureubuntu-upgrade-linux-image-5-15-0-1086-azure-fdeubuntu-upgrade-linux-image-5-15-0-135-fipsubuntu-upgrade-linux-image-5-15-0-135-genericubuntu-upgrade-linux-image-5-15-0-135-generic-64kubuntu-upgrade-linux-image-5-15-0-135-generic-lpaeubuntu-upgrade-linux-image-5-15-0-135-lowlatencyubuntu-upgrade-linux-image-5-15-0-135-lowlatency-64kubuntu-upgrade-linux-image-5-15-0-136-genericubuntu-upgrade-linux-image-5-15-0-136-generic-64kubuntu-upgrade-linux-image-5-15-0-136-generic-lpaeubuntu-upgrade-linux-image-5-4-0-1048-iotubuntu-upgrade-linux-image-5-4-0-1060-xilinx-zynqmpubuntu-upgrade-linux-image-5-4-0-1088-ibmubuntu-upgrade-linux-image-5-4-0-1090-ibmubuntu-upgrade-linux-image-5-4-0-1101-bluefieldubuntu-upgrade-linux-image-5-4-0-1116-fipsubuntu-upgrade-linux-image-5-4-0-1129-kvmubuntu-upgrade-linux-image-5-4-0-1129-raspiubuntu-upgrade-linux-image-5-4-0-1140-oracleubuntu-upgrade-linux-image-5-4-0-1142-awsubuntu-upgrade-linux-image-5-4-0-1142-aws-fipsubuntu-upgrade-linux-image-5-4-0-1145-gcpubuntu-upgrade-linux-image-5-4-0-1145-gcp-fipsubuntu-upgrade-linux-image-5-4-0-1147-azureubuntu-upgrade-linux-image-5-4-0-1147-azure-fipsubuntu-upgrade-linux-image-5-4-0-211-genericubuntu-upgrade-linux-image-5-4-0-211-generic-lpaeubuntu-upgrade-linux-image-5-4-0-211-lowlatencyubuntu-upgrade-linux-image-6-8-0-1002-gkeopubuntu-upgrade-linux-image-6-8-0-1015-gkeubuntu-upgrade-linux-image-6-8-0-1016-raspiubuntu-upgrade-linux-image-6-8-0-1017-ibmubuntu-upgrade-linux-image-6-8-0-1017-oracleubuntu-upgrade-linux-image-6-8-0-1017-oracle-64kubuntu-upgrade-linux-image-6-8-0-1018-oemubuntu-upgrade-linux-image-6-8-0-1019-gcpubuntu-upgrade-linux-image-6-8-0-1019-nvidiaubuntu-upgrade-linux-image-6-8-0-1019-nvidia-64kubuntu-upgrade-linux-image-6-8-0-1019-nvidia-lowlatencyubuntu-upgrade-linux-image-6-8-0-1019-nvidia-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1020-awsubuntu-upgrade-linux-image-6-8-0-1020-azureubuntu-upgrade-linux-image-6-8-0-1020-azure-fdeubuntu-upgrade-linux-image-6-8-0-50-genericubuntu-upgrade-linux-image-6-8-0-50-generic-64kubuntu-upgrade-linux-image-6-8-0-50-lowlatencyubuntu-upgrade-linux-image-6-8-0-50-lowlatency-64kubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-fipsubuntu-upgrade-linux-image-aws-hweubuntu-upgrade-linux-image-aws-lts-18-04ubuntu-upgrade-linux-image-aws-lts-20-04ubuntu-upgrade-linux-image-aws-lts-22-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-cvmubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fipsubuntu-upgrade-linux-image-azure-lts-18-04ubuntu-upgrade-linux-image-azure-lts-20-04ubuntu-upgrade-linux-image-azure-lts-22-04ubuntu-upgrade-linux-image-bluefieldubuntu-upgrade-linux-image-fipsubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-fipsubuntu-upgrade-linux-image-gcp-lts-18-04ubuntu-upgrade-linux-image-gcp-lts-20-04ubuntu-upgrade-linux-image-gcp-lts-22-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-hwe-20-04ubuntu-upgrade-linux-image-generic-64k-hwe-22-04ubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-16-04ubuntu-upgrade-linux-image-generic-hwe-18-04ubuntu-upgrade-linux-image-generic-hwe-20-04ubuntu-upgrade-linux-image-generic-hwe-22-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-generic-lpae-hwe-20-04ubuntu-upgrade-linux-image-generic-lts-trustyubuntu-upgrade-linux-image-generic-lts-xenialubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gke-5-15ubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-5-15ubuntu-upgrade-linux-image-gkeop-6-8ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-classicubuntu-upgrade-linux-image-ibm-lts-20-04ubuntu-upgrade-linux-image-ibm-lts-24-04ubuntu-upgrade-linux-image-intelubuntu-upgrade-linux-image-intel-iot-realtimeubuntu-upgrade-linux-image-intel-iotgubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04ubuntu-upgrade-linux-image-lowlatency-hwe-16-04ubuntu-upgrade-linux-image-lowlatency-hwe-18-04ubuntu-upgrade-linux-image-lowlatency-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-hwe-24-04ubuntu-upgrade-linux-image-lowlatency-lts-xenialubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-6-8ubuntu-upgrade-linux-image-nvidia-64kubuntu-upgrade-linux-image-nvidia-64k-6-8ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04ubuntu-upgrade-linux-image-nvidia-hwe-22-04ubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-nvidia-lowlatency-64kubuntu-upgrade-linux-image-nvidia-tegraubuntu-upgrade-linux-image-nvidia-tegra-igxubuntu-upgrade-linux-image-nvidia-tegra-igx-rtubuntu-upgrade-linux-image-nvidia-tegra-rtubuntu-upgrade-linux-image-oemubuntu-upgrade-linux-image-oem-20-04ubuntu-upgrade-linux-image-oem-20-04bubuntu-upgrade-linux-image-oem-20-04cubuntu-upgrade-linux-image-oem-20-04dubuntu-upgrade-linux-image-oem-22-04ubuntu-upgrade-linux-image-oem-22-04aubuntu-upgrade-linux-image-oem-22-04bubuntu-upgrade-linux-image-oem-22-04cubuntu-upgrade-linux-image-oem-22-04dubuntu-upgrade-linux-image-oem-24-04ubuntu-upgrade-linux-image-oem-24-04aubuntu-upgrade-linux-image-oem-osp1ubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-lts-18-04ubuntu-upgrade-linux-image-oracle-lts-20-04ubuntu-upgrade-linux-image-oracle-lts-22-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-hwe-18-04ubuntu-upgrade-linux-image-raspi-nolpaeubuntu-upgrade-linux-image-raspi2ubuntu-upgrade-linux-image-realtimeubuntu-upgrade-linux-image-serverubuntu-upgrade-linux-image-snapdragon-hwe-18-04ubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-hwe-16-04ubuntu-upgrade-linux-image-virtual-hwe-18-04ubuntu-upgrade-linux-image-virtual-hwe-20-04ubuntu-upgrade-linux-image-virtual-hwe-22-04ubuntu-upgrade-linux-image-virtual-hwe-24-04ubuntu-upgrade-linux-image-virtual-lts-xenialubuntu-upgrade-linux-image-xilinx-zynqmp

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today