In the Linux kernel, the following vulnerability has been resolved: media:
mtk-jpeg: Fix use after free bug due to error path handling in
mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound
with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error
happens in mtk_jpeg_set_dec_dst, it will finally start the worker while
mark the job as finished by invoking v4l2_m2m_job_finish. There are two
methods to trigger the bug. If we remove the module, it which will call
mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which
will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_… | start worker
| |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release |
kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If
we close the file descriptor, which will call mtk_jpeg_release, it will
have a similar sequence. Fix this bug by starting timeout worker only if
started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be
called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-106.116 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1061.67 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1021.21 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1061.67~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1063.72 | UNKNOWN |
git.kernel.org/linus/206c857dd17d4d026de85866f1b5f0969f2a109e (6.8-rc1)
git.kernel.org/stable/c/1b1036c60a37a30caf6759a90fe5ecd06ec35590
git.kernel.org/stable/c/206c857dd17d4d026de85866f1b5f0969f2a109e
git.kernel.org/stable/c/43872f44eee6c6781fea1348b38885d8e78face9
git.kernel.org/stable/c/6e2f37022f0fc0893da4d85a0500c9d547fffd4c
git.kernel.org/stable/c/8254d54d00eb6cdb8367399c7f912eb8d354ecd7
git.kernel.org/stable/c/9fec4db7fff54d9b0306a332bab31eac47eeb5f6
launchpad.net/bugs/cve/CVE-2023-52491
nvd.nist.gov/vuln/detail/CVE-2023-52491
security-tracker.debian.org/tracker/CVE-2023-52491
ubuntu.com/security/notices/USN-6766-1
ubuntu.com/security/notices/USN-6766-2
ubuntu.com/security/notices/USN-6766-3
ubuntu.com/security/notices/USN-6795-1
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6819-4
ubuntu.com/security/notices/USN-6828-1
www.cve.org/CVERecord?id=CVE-2023-52491