| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024102135-CVE-2024-49981-0fb7@gregkh>
Date: Mon, 21 Oct 2024 20:03:09 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-49981: media: venus: fix use after free bug in venus_remove due to race condition
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
media: venus: fix use after free bug in venus_remove due to race condition
in venus_probe, core->work is bound with venus_sys_error_handler, which is
used to handle error. The code use core->sys_err_done to make sync work.
The core->work is started in venus_event_notify.
If we call venus_remove, there might be an unfished work. The possible
sequence is as follows:
CPU0 CPU1
|venus_sys_error_handler
venus_remove |
hfi_destroy |
venus_hfi_destroy |
kfree(hdev); |
|hfi_reinit
|venus_hfi_queues_reinit
|//use hdev
Fix it by canceling the work in venus_remove.
The Linux kernel CVE team has assigned CVE-2024-49981 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.13 with commit af2c3834c8ca and fixed in 5.10.227 with commit 60b6968341a6
Issue introduced in 4.13 with commit af2c3834c8ca and fixed in 5.15.168 with commit bf6be32e2d39
Issue introduced in 4.13 with commit af2c3834c8ca and fixed in 6.1.113 with commit 2a541fcc0bd2
Issue introduced in 4.13 with commit af2c3834c8ca and fixed in 6.6.55 with commit b0686aedc5f1
Issue introduced in 4.13 with commit af2c3834c8ca and fixed in 6.10.14 with commit d925e9f7fb5a
Issue introduced in 4.13 with commit af2c3834c8ca and fixed in 6.11.3 with commit 10941d4f99a5
Issue introduced in 4.13 with commit af2c3834c8ca and fixed in 6.12-rc1 with commit c5a85ed88e04
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-49981
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/media/platform/qcom/venus/core.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/60b6968341a6dd5353554f3e72db554693a128a5
https://git.kernel.org/stable/c/bf6be32e2d39f6301ff1831e249d32a8744ab28a
https://git.kernel.org/stable/c/2a541fcc0bd2b05a458e9613376df1289ec11621
https://git.kernel.org/stable/c/b0686aedc5f1343442d044bd64eeac7e7a391f4e
https://git.kernel.org/stable/c/d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c
https://git.kernel.org/stable/c/10941d4f99a5a34999121b314afcd9c0a1c14f15
https://git.kernel.org/stable/c/c5a85ed88e043474161bbfe54002c89c1cb50ee2
Powered by blists - more mailing lists