cve/published/2024/CVE-2024-42313.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42313: media: venus: fix use after free in vdec_close

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 media: venus: fix use after free in vdec_close

 There appears to be a possible use after free with vdec_close().
 The firmware will add buffer release work to the work queue through
 HFI callbacks as a normal part of decoding. Randomly closing the
 decoder device from userspace during normal decoding can incur
 a read after free for inst.

 Fix it by cancelling the work in vdec_close.

 The Linux kernel CVE team has assigned CVE-2024-42313 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 4.19.320 with commit ad8cf035baf29467158e0550c7a42b7bb43d1db6
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.4.282 with commit 72aff311194c8ceda934f24fd6f250b8827d7567
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.10.224 with commit 4c9d235630d35db762b85a4149bbb0be9d504c36
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.15.165 with commit f8e9a63b982a8345470c225679af4ba86e4a7282
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.1.103 with commit da55685247f409bf7f976cc66ba2104df75d8dad
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.6.44 with commit 66fa52edd32cdbb675f0803b3c4da10ea19b6635
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.10.3 with commit 6a96041659e834dc0b172dda4b2df512d63920c2
 	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.11 with commit a0157b5aa34eb43ec4c5510f9c260bbb03be937e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42313
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/media/platform/qcom/venus/vdec.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ad8cf035baf29467158e0550c7a42b7bb43d1db6
 	https://git.kernel.org/stable/c/72aff311194c8ceda934f24fd6f250b8827d7567
 	https://git.kernel.org/stable/c/4c9d235630d35db762b85a4149bbb0be9d504c36
 	https://git.kernel.org/stable/c/f8e9a63b982a8345470c225679af4ba86e4a7282
 	https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad
 	https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635
 	https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2
 	https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42313: media: venus: fix use after free in vdec_close

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	media: venus: fix use after free in vdec_close

	There appears to be a possible use after free with vdec_close().
	The firmware will add buffer release work to the work queue through
	HFI callbacks as a normal part of decoding. Randomly closing the
	decoder device from userspace during normal decoding can incur
	a read after free for inst.

	Fix it by cancelling the work in vdec_close.

	The Linux kernel CVE team has assigned CVE-2024-42313 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 4.19.320 with commit ad8cf035baf29467158e0550c7a42b7bb43d1db6
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.4.282 with commit 72aff311194c8ceda934f24fd6f250b8827d7567
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.10.224 with commit 4c9d235630d35db762b85a4149bbb0be9d504c36
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 5.15.165 with commit f8e9a63b982a8345470c225679af4ba86e4a7282
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.1.103 with commit da55685247f409bf7f976cc66ba2104df75d8dad
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.6.44 with commit 66fa52edd32cdbb675f0803b3c4da10ea19b6635
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.10.3 with commit 6a96041659e834dc0b172dda4b2df512d63920c2
	Issue introduced in 4.13 with commit af2c3834c8ca7cc65d15592ac671933df8848115 and fixed in 6.11 with commit a0157b5aa34eb43ec4c5510f9c260bbb03be937e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42313
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/media/platform/qcom/venus/vdec.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ad8cf035baf29467158e0550c7a42b7bb43d1db6
	https://git.kernel.org/stable/c/72aff311194c8ceda934f24fd6f250b8827d7567
	https://git.kernel.org/stable/c/4c9d235630d35db762b85a4149bbb0be9d504c36
	https://git.kernel.org/stable/c/f8e9a63b982a8345470c225679af4ba86e4a7282
	https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad
	https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635
	https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2
	https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e