cve/published/2024/CVE-2024-56574.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56574: media: ts2020: fix null-ptr-deref in ts2020_probe()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 media: ts2020: fix null-ptr-deref in ts2020_probe()

 KASAN reported a null-ptr-deref issue when executing the following
 command:

   # echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device
     KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
     CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24
     Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)
     RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020]
     RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202
     RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809
     RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010
     RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6
     R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790
     R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001
     FS:  00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0
     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
     Call Trace:
      <TASK>
      ts2020_probe+0xad/0xe10 [ts2020]
      i2c_device_probe+0x421/0xb40
      really_probe+0x266/0x850
     ...

 The cause of the problem is that when using sysfs to dynamically register
 an i2c device, there is no platform data, but the probe process of ts2020
 needs to use platform data, resulting in a null pointer being accessed.

 Solve this problem by adding checks to platform data.

 The Linux kernel CVE team has assigned CVE-2024-56574 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.4.287 with commit ced1c04e82e3ecc246b921b9733f0df0866aa50d
 	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.10.231 with commit 5a53f97cd5977911850b695add057f9965c1a2d6
 	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.15.174 with commit b6208d1567f929105011bcdfd738f59a6bdc1088
 	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.1.120 with commit dc03866b5f4aa2668946f8384a1e5286ae53bbaa
 	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.6.64 with commit a2ed3b780f34e4a6403064208bc2c99d1ed85026
 	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.12.4 with commit 901070571bc191d1d8d7a1379bc5ba9446200999
 	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.13 with commit 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56574
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/media/dvb-frontends/ts2020.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ced1c04e82e3ecc246b921b9733f0df0866aa50d
 	https://git.kernel.org/stable/c/5a53f97cd5977911850b695add057f9965c1a2d6
 	https://git.kernel.org/stable/c/b6208d1567f929105011bcdfd738f59a6bdc1088
 	https://git.kernel.org/stable/c/dc03866b5f4aa2668946f8384a1e5286ae53bbaa
 	https://git.kernel.org/stable/c/a2ed3b780f34e4a6403064208bc2c99d1ed85026
 	https://git.kernel.org/stable/c/901070571bc191d1d8d7a1379bc5ba9446200999
 	https://git.kernel.org/stable/c/4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56574: media: ts2020: fix null-ptr-deref in ts2020_probe()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	media: ts2020: fix null-ptr-deref in ts2020_probe()

	KASAN reported a null-ptr-deref issue when executing the following
	command:

	# echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device
	KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
	CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)
	RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020]
	RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202
	RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809
	RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010
	RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6
	R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790
	R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001
	FS: 00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	ts2020_probe+0xad/0xe10 [ts2020]
	i2c_device_probe+0x421/0xb40
	really_probe+0x266/0x850
	...

	The cause of the problem is that when using sysfs to dynamically register
	an i2c device, there is no platform data, but the probe process of ts2020
	needs to use platform data, resulting in a null pointer being accessed.

	Solve this problem by adding checks to platform data.

	The Linux kernel CVE team has assigned CVE-2024-56574 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.4.287 with commit ced1c04e82e3ecc246b921b9733f0df0866aa50d
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.10.231 with commit 5a53f97cd5977911850b695add057f9965c1a2d6
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 5.15.174 with commit b6208d1567f929105011bcdfd738f59a6bdc1088
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.1.120 with commit dc03866b5f4aa2668946f8384a1e5286ae53bbaa
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.6.64 with commit a2ed3b780f34e4a6403064208bc2c99d1ed85026
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.12.4 with commit 901070571bc191d1d8d7a1379bc5ba9446200999
	Issue introduced in 4.1 with commit dc245a5f9b5163511e0c164c8aa47848f07b75a9 and fixed in 6.13 with commit 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56574
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/media/dvb-frontends/ts2020.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ced1c04e82e3ecc246b921b9733f0df0866aa50d
	https://git.kernel.org/stable/c/5a53f97cd5977911850b695add057f9965c1a2d6
	https://git.kernel.org/stable/c/b6208d1567f929105011bcdfd738f59a6bdc1088
	https://git.kernel.org/stable/c/dc03866b5f4aa2668946f8384a1e5286ae53bbaa
	https://git.kernel.org/stable/c/a2ed3b780f34e4a6403064208bc2c99d1ed85026
	https://git.kernel.org/stable/c/901070571bc191d1d8d7a1379bc5ba9446200999
	https://git.kernel.org/stable/c/4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba