cve/published/2024/CVE-2024-49981.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49981: media: venus: fix use after free bug in venus_remove due to race condition

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 media: venus: fix use after free bug in venus_remove due to race condition

 in venus_probe, core->work is bound with venus_sys_error_handler, which is
 used to handle error. The code use core->sys_err_done to make sync work.
 The core->work is started in venus_event_notify.

 If we call venus_remove, there might be an unfished work. The possible
 sequence is as follows:

 CPU0                  CPU1

                      |venus_sys_error_handler
 venus_remove         |
 hfi_destroy	 		 |
 venus_hfi_destroy	 |
 kfree(hdev);	     |
                      |hfi_reinit
 					 |venus_hfi_queues_reinit
                      |//use hdev

 Fix it by canceling the work in venus_remove.

 The Linux kernel CVE team has assigned CVE-2024-49981 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 4.19.323 with commit 5098b9e6377577fe13d03e1d8914930f014a3314
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.4.285 with commit 63bbe26471ebdcc3c20bb4cc3950d666279ad658
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.10.227 with commit 60b6968341a6dd5353554f3e72db554693a128a5
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.15.168 with commit bf6be32e2d39f6301ff1831e249d32a8744ab28a
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.1.113 with commit 2a541fcc0bd2b05a458e9613376df1289ec11621
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.6.55 with commit b0686aedc5f1343442d044bd64eeac7e7a391f4e
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.10.14 with commit d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.11.3 with commit 10941d4f99a5a34999121b314afcd9c0a1c14f15
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.12 with commit c5a85ed88e043474161bbfe54002c89c1cb50ee2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49981
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/media/platform/qcom/venus/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5098b9e6377577fe13d03e1d8914930f014a3314
 	https://git.kernel.org/stable/c/63bbe26471ebdcc3c20bb4cc3950d666279ad658
 	https://git.kernel.org/stable/c/60b6968341a6dd5353554f3e72db554693a128a5
 	https://git.kernel.org/stable/c/bf6be32e2d39f6301ff1831e249d32a8744ab28a
 	https://git.kernel.org/stable/c/2a541fcc0bd2b05a458e9613376df1289ec11621
 	https://git.kernel.org/stable/c/b0686aedc5f1343442d044bd64eeac7e7a391f4e
 	https://git.kernel.org/stable/c/d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c
 	https://git.kernel.org/stable/c/10941d4f99a5a34999121b314afcd9c0a1c14f15
 	https://git.kernel.org/stable/c/c5a85ed88e043474161bbfe54002c89c1cb50ee2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49981: media: venus: fix use after free bug in venus_remove due to race condition

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	media: venus: fix use after free bug in venus_remove due to race condition

	in venus_probe, core->work is bound with venus_sys_error_handler, which is
	used to handle error. The code use core->sys_err_done to make sync work.
	The core->work is started in venus_event_notify.

	If we call venus_remove, there might be an unfished work. The possible
	sequence is as follows:

	CPU0 CPU1

	\|venus_sys_error_handler
	venus_remove \|
	hfi_destroy \|
	venus_hfi_destroy \|
	kfree(hdev); \|
	\|hfi_reinit
	\|venus_hfi_queues_reinit
	\|//use hdev

	Fix it by canceling the work in venus_remove.

	The Linux kernel CVE team has assigned CVE-2024-49981 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 4.19.323 with commit 5098b9e6377577fe13d03e1d8914930f014a3314
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.4.285 with commit 63bbe26471ebdcc3c20bb4cc3950d666279ad658
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.10.227 with commit 60b6968341a6dd5353554f3e72db554693a128a5
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.15.168 with commit bf6be32e2d39f6301ff1831e249d32a8744ab28a
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.1.113 with commit 2a541fcc0bd2b05a458e9613376df1289ec11621
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.6.55 with commit b0686aedc5f1343442d044bd64eeac7e7a391f4e
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.10.14 with commit d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.11.3 with commit 10941d4f99a5a34999121b314afcd9c0a1c14f15
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.12 with commit c5a85ed88e043474161bbfe54002c89c1cb50ee2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49981
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/media/platform/qcom/venus/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5098b9e6377577fe13d03e1d8914930f014a3314
	https://git.kernel.org/stable/c/63bbe26471ebdcc3c20bb4cc3950d666279ad658
	https://git.kernel.org/stable/c/60b6968341a6dd5353554f3e72db554693a128a5
	https://git.kernel.org/stable/c/bf6be32e2d39f6301ff1831e249d32a8744ab28a
	https://git.kernel.org/stable/c/2a541fcc0bd2b05a458e9613376df1289ec11621
	https://git.kernel.org/stable/c/b0686aedc5f1343442d044bd64eeac7e7a391f4e
	https://git.kernel.org/stable/c/d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c
	https://git.kernel.org/stable/c/10941d4f99a5a34999121b314afcd9c0a1c14f15
	https://git.kernel.org/stable/c/c5a85ed88e043474161bbfe54002c89c1cb50ee2