lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2024122717-CVE-2024-56574-68a1@gregkh>
Date: Fri, 27 Dec 2024 15:23:25 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-56574: media: ts2020: fix null-ptr-deref in ts2020_probe()

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

media: ts2020: fix null-ptr-deref in ts2020_probe()

KASAN reported a null-ptr-deref issue when executing the following
command:

  # echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device
    KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
    CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)
    RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020]
    RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202
    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809
    RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010
    RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6
    R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790
    R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001
    FS:  00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     ts2020_probe+0xad/0xe10 [ts2020]
     i2c_device_probe+0x421/0xb40
     really_probe+0x266/0x850
    ...

The cause of the problem is that when using sysfs to dynamically register
an i2c device, there is no platform data, but the probe process of ts2020
needs to use platform data, resulting in a null pointer being accessed.

Solve this problem by adding checks to platform data.

The Linux kernel CVE team has assigned CVE-2024-56574 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.4.287 with commit ced1c04e82e3ecc246b921b9733f0df0866aa50d
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.10.231 with commit 5a53f97cd5977911850b695add057f9965c1a2d6
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.15.174 with commit b6208d1567f929105011bcdfd738f59a6bdc1088
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.1.120 with commit dc03866b5f4aa2668946f8384a1e5286ae53bbaa
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.6.64 with commit a2ed3b780f34e4a6403064208bc2c99d1ed85026
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.12.4 with commit 901070571bc191d1d8d7a1379bc5ba9446200999
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.13-rc1 with commit 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56574
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/media/dvb-frontends/ts2020.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/ced1c04e82e3ecc246b921b9733f0df0866aa50d
	https://git.kernel.org/stable/c/5a53f97cd5977911850b695add057f9965c1a2d6
	https://git.kernel.org/stable/c/b6208d1567f929105011bcdfd738f59a6bdc1088
	https://git.kernel.org/stable/c/dc03866b5f4aa2668946f8384a1e5286ae53bbaa
	https://git.kernel.org/stable/c/a2ed3b780f34e4a6403064208bc2c99d1ed85026
	https://git.kernel.org/stable/c/901070571bc191d1d8d7a1379bc5ba9446200999
	https://git.kernel.org/stable/c/4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ