| The vulnerability resides in the `atomisp_alloc_css_stat_bufs()` function within the Linux kernel's media subsystem, specifically in the AtomISP driver. The issue arises from the incorrect handling of memory allocation and deallocation for a buffer structure (`s3a_buf`) contained within a list (`asd->s3a_stats`). When this list is freed, all its elements, including `s3a_buf`, are also freed. However, the code later attempts to access and use the already-freed `s3a_buf` buffer, leading to a use-after-free scenario. |
| |
| This vulnerability can result in a double free, where the same memory region is deallocated twice, and potentially cause system instability or crashes. The Linux kernel CVE team has assigned this issue the identifier CVE-2020-36785. |
| |
| The affected code was introduced in Linux kernel version 5.8 with commit `ad85094b293e` and was fixed in subsequent versions: 5.10.37 with commit `d218c7a0284f`, 5.11.21 with commit `801c1d505894`, 5.12.4 with commit `8267ccd7b9df`, and 5.13 with commit `ba11bbf303fa`. The affected file is `drivers/staging/media/atomisp/pci/atomisp_ioctl.c`. |
| |
