cve/published/2024/CVE-2024-56576.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56576: media: i2c: tc358743: Fix crash in the probe error path when using polling

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 media: i2c: tc358743: Fix crash in the probe error path when using polling

 If an error occurs in the probe() function, we should remove the polling
 timer that was alarmed earlier, otherwise the timer is called with
 arguments that are already freed, which results in a crash.

 ------------[ cut here ]------------
 WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268
 Modules linked in:
 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226
 Hardware name: Diasom DS-RK3568-SOM-EVB (DT)
 pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : __run_timers+0x244/0x268
 lr : __run_timers+0x1d4/0x268
 sp : ffffff80eff2baf0
 x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00
 x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00
 x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000
 x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff
 x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e
 x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000
 x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009
 x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480
 x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240
 x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0
 Call trace:
  __run_timers+0x244/0x268
  timer_expire_remote+0x50/0x68
  tmigr_handle_remote+0x388/0x39c
  run_timer_softirq+0x38/0x44
  handle_softirqs+0x138/0x298
  __do_softirq+0x14/0x20
  ____do_softirq+0x10/0x1c
  call_on_irq_stack+0x24/0x4c
  do_softirq_own_stack+0x1c/0x2c
  irq_exit_rcu+0x9c/0xcc
  el1_interrupt+0x48/0xc0
  el1h_64_irq_handler+0x18/0x24
  el1h_64_irq+0x7c/0x80
  default_idle_call+0x34/0x68
  do_idle+0x23c/0x294
  cpu_startup_entry+0x38/0x3c
  secondary_start_kernel+0x128/0x160
  __secondary_switched+0xb8/0xbc
 ---[ end trace 0000000000000000 ]---

 The Linux kernel CVE team has assigned CVE-2024-56576 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 5.4.287 with commit 13193a97ddd5a6a5b11408ddbc1ae85588b1860c
 	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 5.10.231 with commit 5c9ab34c87af718bdbf9faa2b1a6ba41d15380ea
 	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 5.15.174 with commit 815d14147068347e88c258233eb951b41b2792a6
 	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 6.1.120 with commit 34a3466a92f50c51d984f0ec2e96864886d460eb
 	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 6.6.64 with commit b59ab89bc83f7bff67f78c6caf484a84a6dd30f7
 	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 6.12.4 with commit 1def915b1564f4375330bd113ea1d768a569cfd8
 	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 6.13 with commit 869f38ae07f7df829da4951c3d1f7a2be09c2e9a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56576
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/media/i2c/tc358743.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/13193a97ddd5a6a5b11408ddbc1ae85588b1860c
 	https://git.kernel.org/stable/c/5c9ab34c87af718bdbf9faa2b1a6ba41d15380ea
 	https://git.kernel.org/stable/c/815d14147068347e88c258233eb951b41b2792a6
 	https://git.kernel.org/stable/c/34a3466a92f50c51d984f0ec2e96864886d460eb
 	https://git.kernel.org/stable/c/b59ab89bc83f7bff67f78c6caf484a84a6dd30f7
 	https://git.kernel.org/stable/c/1def915b1564f4375330bd113ea1d768a569cfd8
 	https://git.kernel.org/stable/c/869f38ae07f7df829da4951c3d1f7a2be09c2e9a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56576: media: i2c: tc358743: Fix crash in the probe error path when using polling

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	media: i2c: tc358743: Fix crash in the probe error path when using polling

	If an error occurs in the probe() function, we should remove the polling
	timer that was alarmed earlier, otherwise the timer is called with
	arguments that are already freed, which results in a crash.

	------------[ cut here ]------------
	WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268
	Modules linked in:
	CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226
	Hardware name: Diasom DS-RK3568-SOM-EVB (DT)
	pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : __run_timers+0x244/0x268
	lr : __run_timers+0x1d4/0x268
	sp : ffffff80eff2baf0
	x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00
	x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00
	x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000
	x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff
	x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e
	x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000
	x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009
	x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480
	x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240
	x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0
	Call trace:
	__run_timers+0x244/0x268
	timer_expire_remote+0x50/0x68
	tmigr_handle_remote+0x388/0x39c
	run_timer_softirq+0x38/0x44
	handle_softirqs+0x138/0x298
	__do_softirq+0x14/0x20
	____do_softirq+0x10/0x1c
	call_on_irq_stack+0x24/0x4c
	do_softirq_own_stack+0x1c/0x2c
	irq_exit_rcu+0x9c/0xcc
	el1_interrupt+0x48/0xc0
	el1h_64_irq_handler+0x18/0x24
	el1h_64_irq+0x7c/0x80
	default_idle_call+0x34/0x68
	do_idle+0x23c/0x294
	cpu_startup_entry+0x38/0x3c
	secondary_start_kernel+0x128/0x160
	__secondary_switched+0xb8/0xbc
	---[ end trace 0000000000000000 ]---

	The Linux kernel CVE team has assigned CVE-2024-56576 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 5.4.287 with commit 13193a97ddd5a6a5b11408ddbc1ae85588b1860c
	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 5.10.231 with commit 5c9ab34c87af718bdbf9faa2b1a6ba41d15380ea
	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 5.15.174 with commit 815d14147068347e88c258233eb951b41b2792a6
	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 6.1.120 with commit 34a3466a92f50c51d984f0ec2e96864886d460eb
	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 6.6.64 with commit b59ab89bc83f7bff67f78c6caf484a84a6dd30f7
	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 6.12.4 with commit 1def915b1564f4375330bd113ea1d768a569cfd8
	Issue introduced in 4.13 with commit 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a and fixed in 6.13 with commit 869f38ae07f7df829da4951c3d1f7a2be09c2e9a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56576
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/media/i2c/tc358743.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/13193a97ddd5a6a5b11408ddbc1ae85588b1860c
	https://git.kernel.org/stable/c/5c9ab34c87af718bdbf9faa2b1a6ba41d15380ea
	https://git.kernel.org/stable/c/815d14147068347e88c258233eb951b41b2792a6
	https://git.kernel.org/stable/c/34a3466a92f50c51d984f0ec2e96864886d460eb
	https://git.kernel.org/stable/c/b59ab89bc83f7bff67f78c6caf484a84a6dd30f7
	https://git.kernel.org/stable/c/1def915b1564f4375330bd113ea1d768a569cfd8
	https://git.kernel.org/stable/c/869f38ae07f7df829da4951c3d1f7a2be09c2e9a