Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.
Product status
f2d06d4e129e2508e356136f99bb20a332ff1a00 (git) before e719232f4552e29de8027a83918ea94434be87af
b889a7d68d7e76b8795b754a75c91a2d561d5e8c (git) before e247a0e01d15ed420f77ec5e2335721bf430a5b3
ea8cc56db659cf0ae57073e32a4735ead7bd7ee3 (git) before ba88461f7653636c48321ca993006a74724c2f41
b754e831a94f82f2593af806741392903f359168 (git) before e88354b381e2006de63d6b052ed7005c9a47d00e
57860a80f03f9dc69a34a5c37b0941ad032a0a8c (git) before af75b486f7e883e3422ece23c8d727e6815144a0
a0810c3d6dd2d29a9b92604d682eacd2902ce947 (git) before d21e8a2af4869b5890b34e081d5aeadc93e9cd5c
a0810c3d6dd2d29a9b92604d682eacd2902ce947 (git) before 3dc20d1981d6a67d8184498a5da272942dde1e65
a0810c3d6dd2d29a9b92604d682eacd2902ce947 (git) before 51f6532790b74ffdd6970bc848358a2838c1c185
a0810c3d6dd2d29a9b92604d682eacd2902ce947 (git) before b9c826916fdce6419b94eb0cd8810fdac18c2386
74357d0b5cd3ef544752bc9f21cbeee4902fae6c (git)
273eec23467dfbfbd0e4c10302579ba441fb1e13 (git)
0df7f4b5cc10f5adf98be0845372e9eef7bb5b09 (git)
5.10.231 (semver) before 5.10.258
5.15.174 (semver) before 5.15.209
6.1.120 (semver) before 6.1.175
6.6.64 (semver) before 6.6.136
6.12.2 (semver) before 6.12.83
4.19.325 (semver) before 4.20
5.4.287 (semver) before 5.5
6.11.11 (semver) before 6.12
6.13
Any version before 6.13
5.10.258 (semver)
5.15.209 (semver)
6.1.175 (semver)
6.6.136 (semver)
6.12.83 (semver)
6.18.24 (semver)
6.19.14 (semver)
7.0.1 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/e719232f4552e29de8027a83918ea94434be87af
git.kernel.org/...c/e247a0e01d15ed420f77ec5e2335721bf430a5b3
git.kernel.org/...c/ba88461f7653636c48321ca993006a74724c2f41
git.kernel.org/...c/e88354b381e2006de63d6b052ed7005c9a47d00e
git.kernel.org/...c/af75b486f7e883e3422ece23c8d727e6815144a0
git.kernel.org/...c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c
git.kernel.org/...c/3dc20d1981d6a67d8184498a5da272942dde1e65
git.kernel.org/...c/51f6532790b74ffdd6970bc848358a2838c1c185
git.kernel.org/...c/b9c826916fdce6419b94eb0cd8810fdac18c2386