In the Linux kernel, the following vulnerability has been resolved: media:
mediatek: vcodec: Fix oops when HEVC init fails The stateless HEVC decoder
saves the instance pointer in the context regardless if the initialization
worked or not. This caused a use after free, when the pointer is freed in
case of a failure in the deinit function. Only store the instance pointer
when the initialization was successful, to solve this issue. Hardware name:
Acer Tomato (rev3 - 4) board (DT) pstate: 80400009 (Nzcv daif +PAN -UAO
-TCO -DIT -SSBS BTYPE=–) pc : vcodec_vpu_send_msg+0x4c/0x190
[mtk_vcodec_dec] lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] sp :
ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27:
0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24:
0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21:
ffffd45c4cfae000 x20: 0000000000000010 x19: ffff1299fd668310 x18:
000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15:
0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12:
ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9 :
ffffd45c4d12b488 x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 :
ffff1299c9c06c00 x5 : 0000000000000132 x4 : 0000000000000000 x3 :
0000000000000000 x2 : 0000000000000010 x1 : ffff80008750bc98 x0 :
0000000000000000 Call trace: vcodec_vpu_send_msg+0x4c/0x190
[mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]
vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98
[mtk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]
mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]
fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100
__fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90
invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x48/0xf0
do_el0_svc+0x24/0x38 el0_svc+0x38/0xd8 el0t_64_sync_handler+0xc0/0xc8
el0t_64_sync+0x1a8/0x1b0 Code: d503201f f9401660 b900127f b900227f
(f9400400)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 24.04 | noarch | linux | < 6.8.0-38.38 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1011.12 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-azure | < 6.8.0-1010.10 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gcp | < 6.8.0-1010.11 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gke | < 6.8.0-1006.9 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-ibm | < 6.8.0-1008.8 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-intel | < 6.8.0-1007.14 | UNKNOWN |
git.kernel.org/linus/97c75ee5de060d271d80109b0c47cb6008439e5b (6.9-rc4)
git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e
git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b
git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4
launchpad.net/bugs/cve/CVE-2024-35921
nvd.nist.gov/vuln/detail/CVE-2024-35921
security-tracker.debian.org/tracker/CVE-2024-35921
ubuntu.com/security/notices/USN-6893-1
ubuntu.com/security/notices/USN-6893-2
ubuntu.com/security/notices/USN-6893-3
ubuntu.com/security/notices/USN-6918-1
www.cve.org/CVERecord?id=CVE-2024-35921