cve/published/2024/CVE-2024-58079.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58079: media: uvcvideo: Fix crash during unbind if gpio unit is in use

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 media: uvcvideo: Fix crash during unbind if gpio unit is in use

 We used the wrong device for the device managed functions. We used the
 usb device, when we should be using the interface device.

 If we unbind the driver from the usb interface, the cleanup functions
 are never called. In our case, the IRQ is never disabled.

 If an IRQ is triggered, it will try to access memory sections that are
 already free, causing an OOPS.

 We cannot use the function devm_request_threaded_irq here. The devm_*
 clean functions may be called after the main structure is released by
 uvc_delete.

 Luckily this bug has small impact, as it is only affected by devices
 with gpio units and the user has to unbind the device, a disconnect will
 not trigger this error.

 The Linux kernel CVE team has assigned CVE-2024-58079 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 5.15.179 with commit 0fdd7cc593385e46e92e180b71e264fc9c195298
 	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.1.130 with commit 3c00e94d00ca079bef7906d6f39d1091bccfedd3
 	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.6.78 with commit 0b5e0445bc8384c18bd35cb9fe87f6258c6271d9
 	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.12.14 with commit d2eac8b14ac690aa73052aa6d4ba69005715367e
 	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.13.3 with commit 5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d
 	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.14 with commit a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58079
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/media/usb/uvc/uvc_driver.c
 	drivers/media/usb/uvc/uvcvideo.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0fdd7cc593385e46e92e180b71e264fc9c195298
 	https://git.kernel.org/stable/c/3c00e94d00ca079bef7906d6f39d1091bccfedd3
 	https://git.kernel.org/stable/c/0b5e0445bc8384c18bd35cb9fe87f6258c6271d9
 	https://git.kernel.org/stable/c/d2eac8b14ac690aa73052aa6d4ba69005715367e
 	https://git.kernel.org/stable/c/5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d
 	https://git.kernel.org/stable/c/a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58079: media: uvcvideo: Fix crash during unbind if gpio unit is in use

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	media: uvcvideo: Fix crash during unbind if gpio unit is in use

	We used the wrong device for the device managed functions. We used the
	usb device, when we should be using the interface device.

	If we unbind the driver from the usb interface, the cleanup functions
	are never called. In our case, the IRQ is never disabled.

	If an IRQ is triggered, it will try to access memory sections that are
	already free, causing an OOPS.

	We cannot use the function devm_request_threaded_irq here. The devm_*
	clean functions may be called after the main structure is released by
	uvc_delete.

	Luckily this bug has small impact, as it is only affected by devices
	with gpio units and the user has to unbind the device, a disconnect will
	not trigger this error.

	The Linux kernel CVE team has assigned CVE-2024-58079 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 5.15.179 with commit 0fdd7cc593385e46e92e180b71e264fc9c195298
	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.1.130 with commit 3c00e94d00ca079bef7906d6f39d1091bccfedd3
	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.6.78 with commit 0b5e0445bc8384c18bd35cb9fe87f6258c6271d9
	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.12.14 with commit d2eac8b14ac690aa73052aa6d4ba69005715367e
	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.13.3 with commit 5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d
	Issue introduced in 5.12 with commit 2886477ff98740cc3333cf785e4de0b1ff3d7a28 and fixed in 6.14 with commit a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58079
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/media/usb/uvc/uvc_driver.c
	drivers/media/usb/uvc/uvcvideo.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0fdd7cc593385e46e92e180b71e264fc9c195298
	https://git.kernel.org/stable/c/3c00e94d00ca079bef7906d6f39d1091bccfedd3
	https://git.kernel.org/stable/c/0b5e0445bc8384c18bd35cb9fe87f6258c6271d9
	https://git.kernel.org/stable/c/d2eac8b14ac690aa73052aa6d4ba69005715367e
	https://git.kernel.org/stable/c/5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d
	https://git.kernel.org/stable/c/a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5