跳转到帖子

Debian: CVE-2023-52491: linux -- security update

recommended_posts

发布于
  • Members

Debian: CVE-2023-52491: linux -- security update

Severity
7
CVSS
(AV:L/AC:L/Au:S/C:C/I:C/A:C)
Published
03/11/2024
Created
05/08/2024
Added
05/08/2024
Modified
01/28/2025

Description

In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0CPU1 mtk_jpeg_dec_...| start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release| kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.

Solution(s)

  • debian-upgrade-linux

References

  • https://attackerkb.com/topics/cve-2023-52491
  • CVE - 2023-52491
  • DSA-5681-1
  • 查看数 704
  • 已创建
  • 最后回复

参与讨论

你可立刻发布并稍后注册。 如果你有帐户,立刻登录发布帖子。
注意:你的帖子需要版主批准后才能看到。

游客
回帖…