cve/published/2022/CVE-2022-49247.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49247: media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED

 If the callback 'start_streaming' fails, then all
 queued buffers in the driver should be returned with
 state 'VB2_BUF_STATE_QUEUED'. Currently, they are
 returned with 'VB2_BUF_STATE_ERROR' which is wrong.
 Fix this. This also fixes the warning:

 [   65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common]
 [   65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6
 [   65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G        W         5.16.0-rc4-62408-g32447129cb30-dirty #14
 [   65.590293] Hardware name: Radxa ROCK Pi 4B (DT)
 [   65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 [   65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common]
 [   65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common]
 [   65.592395] sp : ffff800012bc3ad0
 [   65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8
 [   65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612
 [   65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0
 [   65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff
 [   65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78
 [   65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce
 [   65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228
 [   65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78
 [   65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880
 [   65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0
 [   65.598940] Call trace:
 [   65.599155]  vb2_start_streaming+0xd4/0x160 [videobuf2_common]
 [   65.599672]  vb2_core_streamon+0x17c/0x1a8 [videobuf2_common]
 [   65.600179]  vb2_streamon+0x54/0x88 [videobuf2_v4l2]
 [   65.600619]  vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2]
 [   65.601103]  v4l_streamon+0x3c/0x50 [videodev]
 [   65.601521]  __video_do_ioctl+0x1a4/0x428 [videodev]
 [   65.601977]  video_usercopy+0x320/0x828 [videodev]
 [   65.602419]  video_ioctl2+0x3c/0x58 [videodev]
 [   65.602830]  v4l2_ioctl+0x60/0x90 [videodev]
 [   65.603227]  __arm64_sys_ioctl+0xa8/0xe0
 [   65.603576]  invoke_syscall+0x54/0x118
 [   65.603911]  el0_svc_common.constprop.3+0x84/0x100
 [   65.604332]  do_el0_svc+0x34/0xa0
 [   65.604625]  el0_svc+0x1c/0x50
 [   65.604897]  el0t_64_sync_handler+0x88/0xb0
 [   65.605264]  el0t_64_sync+0x16c/0x170
 [   65.605587] ---[ end trace 578e0ba07742170d ]---

 The Linux kernel CVE team has assigned CVE-2022-49247 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 4.14.276 with commit 03054f22d5abd80ad89547512c2bfbfb2714d3ed
 	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 4.19.238 with commit f04a520a422222fc921bf035dc67414c500a286a
 	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.4.189 with commit 3cc050df73e3d973f1870a8dc0e177e77670bc7f
 	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.10.110 with commit 4d68603cc4382174bc1e7d532e10675c48c6b257
 	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.15.33 with commit a09e9882800fdfc5aab93f77c3f0132071d2191b
 	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.16.19 with commit 2874122ca4ca74adec72d6d6bf8828228ec20f15
 	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.17.2 with commit f66e6fd1488d26229f11d86616de1b658c70fa8a
 	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.18 with commit fbe04b49a54e31f4321d632270207f0e6304cd16

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49247
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/media/usb/stk1160/stk1160-core.c
 	drivers/media/usb/stk1160/stk1160-v4l.c
 	drivers/media/usb/stk1160/stk1160.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/03054f22d5abd80ad89547512c2bfbfb2714d3ed
 	https://git.kernel.org/stable/c/f04a520a422222fc921bf035dc67414c500a286a
 	https://git.kernel.org/stable/c/3cc050df73e3d973f1870a8dc0e177e77670bc7f
 	https://git.kernel.org/stable/c/4d68603cc4382174bc1e7d532e10675c48c6b257
 	https://git.kernel.org/stable/c/a09e9882800fdfc5aab93f77c3f0132071d2191b
 	https://git.kernel.org/stable/c/2874122ca4ca74adec72d6d6bf8828228ec20f15
 	https://git.kernel.org/stable/c/f66e6fd1488d26229f11d86616de1b658c70fa8a
 	https://git.kernel.org/stable/c/fbe04b49a54e31f4321d632270207f0e6304cd16
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49247: media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED

	If the callback 'start_streaming' fails, then all
	queued buffers in the driver should be returned with
	state 'VB2_BUF_STATE_QUEUED'. Currently, they are
	returned with 'VB2_BUF_STATE_ERROR' which is wrong.
	Fix this. This also fixes the warning:

	[ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common]
	[ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6
	[ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14
	[ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT)
	[ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	[ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common]
	[ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common]
	[ 65.592395] sp : ffff800012bc3ad0
	[ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8
	[ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612
	[ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0
	[ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff
	[ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78
	[ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce
	[ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228
	[ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78
	[ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880
	[ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0
	[ 65.598940] Call trace:
	[ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common]
	[ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common]
	[ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2]
	[ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2]
	[ 65.601103] v4l_streamon+0x3c/0x50 [videodev]
	[ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev]
	[ 65.601977] video_usercopy+0x320/0x828 [videodev]
	[ 65.602419] video_ioctl2+0x3c/0x58 [videodev]
	[ 65.602830] v4l2_ioctl+0x60/0x90 [videodev]
	[ 65.603227] __arm64_sys_ioctl+0xa8/0xe0
	[ 65.603576] invoke_syscall+0x54/0x118
	[ 65.603911] el0_svc_common.constprop.3+0x84/0x100
	[ 65.604332] do_el0_svc+0x34/0xa0
	[ 65.604625] el0_svc+0x1c/0x50
	[ 65.604897] el0t_64_sync_handler+0x88/0xb0
	[ 65.605264] el0t_64_sync+0x16c/0x170
	[ 65.605587] ---[ end trace 578e0ba07742170d ]---

	The Linux kernel CVE team has assigned CVE-2022-49247 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 4.14.276 with commit 03054f22d5abd80ad89547512c2bfbfb2714d3ed
	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 4.19.238 with commit f04a520a422222fc921bf035dc67414c500a286a
	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.4.189 with commit 3cc050df73e3d973f1870a8dc0e177e77670bc7f
	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.10.110 with commit 4d68603cc4382174bc1e7d532e10675c48c6b257
	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.15.33 with commit a09e9882800fdfc5aab93f77c3f0132071d2191b
	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.16.19 with commit 2874122ca4ca74adec72d6d6bf8828228ec20f15
	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.17.2 with commit f66e6fd1488d26229f11d86616de1b658c70fa8a
	Issue introduced in 3.7 with commit 8ac456495a33d9466076fea94594181ceefb76d9 and fixed in 5.18 with commit fbe04b49a54e31f4321d632270207f0e6304cd16

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49247
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/media/usb/stk1160/stk1160-core.c
	drivers/media/usb/stk1160/stk1160-v4l.c
	drivers/media/usb/stk1160/stk1160.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/03054f22d5abd80ad89547512c2bfbfb2714d3ed
	https://git.kernel.org/stable/c/f04a520a422222fc921bf035dc67414c500a286a
	https://git.kernel.org/stable/c/3cc050df73e3d973f1870a8dc0e177e77670bc7f
	https://git.kernel.org/stable/c/4d68603cc4382174bc1e7d532e10675c48c6b257
	https://git.kernel.org/stable/c/a09e9882800fdfc5aab93f77c3f0132071d2191b
	https://git.kernel.org/stable/c/2874122ca4ca74adec72d6d6bf8828228ec20f15
	https://git.kernel.org/stable/c/f66e6fd1488d26229f11d86616de1b658c70fa8a
	https://git.kernel.org/stable/c/fbe04b49a54e31f4321d632270207f0e6304cd16