| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122411-CVE-2023-54103-5493@gregkh>
Date: Wed, 24 Dec 2025 14:07:00 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-54103: media: mtk-jpeg: Fix use after free bug due to uncanceled work
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
media: mtk-jpeg: Fix use after free bug due to uncanceled work
In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with
mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run
and mtk_jpeg_enc_device_run may be called to start the
work.
If we remove the module which will call mtk_jpeg_remove
to make cleanup, there may be a unfinished work. The
possible sequence is as follows, which will cause a
typical UAF bug.
Fix it by canceling the work before cleanup in the mtk_jpeg_remove
CPU0 CPU1
|mtk_jpeg_job_timeout_work
mtk_jpeg_remove |
v4l2_m2m_release |
kfree(m2m_dev); |
|
| v4l2_m2m_get_curr_priv
| m2m_dev->curr_ctx //use
The Linux kernel CVE team has assigned CVE-2023-54103 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.12 with commit b2f0d2724ba477d326e9d654d4db1c93e98f8b93 and fixed in 5.10.199 with commit d346a2ef6b1ebb77d740890cfaf8478c5b286380
Issue introduced in 4.12 with commit b2f0d2724ba477d326e9d654d4db1c93e98f8b93 and fixed in 5.15.136 with commit d56dbfe750a8f96789cc86a911864f663e63bc5d
Issue introduced in 4.12 with commit b2f0d2724ba477d326e9d654d4db1c93e98f8b93 and fixed in 6.1.53 with commit 715c0200b4809396998e562ce5cd0284e7314cc1
Issue introduced in 4.12 with commit b2f0d2724ba477d326e9d654d4db1c93e98f8b93 and fixed in 6.4.16 with commit 8977d9924843823f46696d7d9432ea4b2499ed14
Issue introduced in 4.12 with commit b2f0d2724ba477d326e9d654d4db1c93e98f8b93 and fixed in 6.5.3 with commit 2fc20f8bcc2b4d31c808a5320506c31aa2cf3834
Issue introduced in 4.12 with commit b2f0d2724ba477d326e9d654d4db1c93e98f8b93 and fixed in 6.6 with commit c677d7ae83141d390d1253abebafa49c962afb52
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-54103
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/d346a2ef6b1ebb77d740890cfaf8478c5b286380
https://git.kernel.org/stable/c/d56dbfe750a8f96789cc86a911864f663e63bc5d
https://git.kernel.org/stable/c/715c0200b4809396998e562ce5cd0284e7314cc1
https://git.kernel.org/stable/c/8977d9924843823f46696d7d9432ea4b2499ed14
https://git.kernel.org/stable/c/2fc20f8bcc2b4d31c808a5320506c31aa2cf3834
https://git.kernel.org/stable/c/c677d7ae83141d390d1253abebafa49c962afb52
Powered by blists - more mailing lists