| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091613-CVE-2025-39807-4c3b@gregkh> Date: Tue, 16 Sep 2025 15:00:13 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39807: drm/mediatek: Add error handling for old state CRTC in atomic_disable From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add error handling for old state CRTC in atomic_disable Introduce error handling to address an issue where, after a hotplug event, the cursor continues to update. This situation can lead to a kernel panic due to accessing the NULL `old_state->crtc`. E,g. Unable to handle kernel NULL pointer dereference at virtual address Call trace: mtk_crtc_plane_disable+0x24/0x140 mtk_plane_atomic_update+0x8c/0xa8 drm_atomic_helper_commit_planes+0x114/0x2c8 drm_atomic_helper_commit_tail_rpm+0x4c/0x158 commit_tail+0xa0/0x168 drm_atomic_helper_commit+0x110/0x120 drm_atomic_commit+0x8c/0xe0 drm_atomic_helper_update_plane+0xd4/0x128 __setplane_atomic+0xcc/0x110 drm_mode_cursor_common+0x250/0x440 drm_mode_cursor_ioctl+0x44/0x70 drm_ioctl+0x264/0x5d8 __arm64_sys_ioctl+0xd8/0x510 invoke_syscall+0x6c/0xe0 do_el0_svc+0x68/0xe8 el0_svc+0x34/0x60 el0t_64_sync_handler+0x1c/0xf8 el0t_64_sync+0x180/0x188 Adding NULL pointer checks to ensure stability by preventing operations on an invalid CRTC state. The Linux kernel CVE team has assigned CVE-2025-39807 to this issue. Affected and fixed versions =========================== Issue introduced in 6.12.40 with commit 40b5b4ba8ed87c0bfb6268c10589777652ebde4c and fixed in 6.12.45 with commit 7d5cc22efa44e0fe321ce195c71c3d7da211fbb2 Issue introduced in 6.16 with commit d208261e9f7c66960587b10473081dc1cecbe50b and fixed in 6.16.5 with commit 9a94e9d8b50bcfe89693bc899a54d3866d86e973 Issue introduced in 6.16 with commit d208261e9f7c66960587b10473081dc1cecbe50b and fixed in 6.17-rc4 with commit 0c6b24d70da21201ed009a2aca740d2dfddc7ab5 Issue introduced in 6.15.8 with commit a9c482689051ca96f4a4630fe49fd6919694caaa Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39807 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/gpu/drm/mediatek/mtk_plane.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7d5cc22efa44e0fe321ce195c71c3d7da211fbb2 https://git.kernel.org/stable/c/9a94e9d8b50bcfe89693bc899a54d3866d86e973 https://git.kernel.org/stable/c/0c6b24d70da21201ed009a2aca740d2dfddc7ab5
Powered by blists - more mailing lists