cve-2024-35921
Vulnerability from cvelistv5
Published
2024-05-19 10:10
Modified
2024-08-02 03:21
Severity
Summary
media: mediatek: vcodec: Fix oops when HEVC init fails
References
SourceURLTags
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4
Impacted products
VendorProduct
LinuxLinux
LinuxLinux
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35921",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-29T18:19:45.547100Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:06.409Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:49.035Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ec25fc3c2c1e",
              "status": "affected",
              "version": "2674486aac7d",
              "versionType": "git"
            },
            {
              "lessThan": "521ce0ea7418",
              "status": "affected",
              "version": "2674486aac7d",
              "versionType": "git"
            },
            {
              "lessThan": "97c75ee5de06",
              "status": "affected",
              "version": "2674486aac7d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.27",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.6",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix oops when HEVC init fails\n\nThe stateless HEVC decoder saves the instance pointer in the context\nregardless if the initialization worked or not. This caused a use after\nfree, when the pointer is freed in case of a failure in the deinit\nfunction.\nOnly store the instance pointer when the initialization was successful,\nto solve this issue.\n\n Hardware name: Acer Tomato (rev3 - 4) board (DT)\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n sp : ffff80008750bc20\n x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000\n x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a\n x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000\n x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80\n x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488\n x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00\n x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000\n Call trace:\n  vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n  vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n  vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec]\n  vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec]\n  vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]\n  mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]\n  fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec]\n  v4l2_release+0x7c/0x100\n  __fput+0x80/0x2d8\n  __fput_sync+0x58/0x70\n  __arm64_sys_close+0x40/0x90\n  invoke_syscall+0x50/0x128\n  el0_svc_common.constprop.0+0x48/0xf0\n  do_el0_svc+0x24/0x38\n  el0_svc+0x38/0xd8\n  el0t_64_sync_handler+0xc0/0xc8\n  el0t_64_sync+0x1a8/0x1b0\n Code: d503201f f9401660 b900127f b900227f (f9400400)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T05:31:17.783Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b"
        }
      ],
      "title": "media: mediatek: vcodec: Fix oops when HEVC init fails",
      "x_generator": {
        "engine": "bippy-a5840b7849dd"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35921",
    "datePublished": "2024-05-19T10:10:33.053Z",
    "dateReserved": "2024-05-17T13:50:33.124Z",
    "dateUpdated": "2024-08-02T03:21:49.035Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35921\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-19T11:15:48.443\",\"lastModified\":\"2024-05-20T13:00:04.957\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mediatek: vcodec: Fix oops when HEVC init fails\\n\\nThe stateless HEVC decoder saves the instance pointer in the context\\nregardless if the initialization worked or not. This caused a use after\\nfree, when the pointer is freed in case of a failure in the deinit\\nfunction.\\nOnly store the instance pointer when the initialization was successful,\\nto solve this issue.\\n\\n Hardware name: Acer Tomato (rev3 - 4) board (DT)\\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\\n lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\\n sp : ffff80008750bc20\\n x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000\\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\\n x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000\\n x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a\\n x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000\\n x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80\\n x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488\\n x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00\\n x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000\\n x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000\\n Call trace:\\n  vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\\n  vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\\n  vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec]\\n  vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec]\\n  vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]\\n  mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]\\n  fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec]\\n  v4l2_release+0x7c/0x100\\n  __fput+0x80/0x2d8\\n  __fput_sync+0x58/0x70\\n  __arm64_sys_close+0x40/0x90\\n  invoke_syscall+0x50/0x128\\n  el0_svc_common.constprop.0+0x48/0xf0\\n  do_el0_svc+0x24/0x38\\n  el0_svc+0x38/0xd8\\n  el0t_64_sync_handler+0xc0/0xc8\\n  el0t_64_sync+0x1a8/0x1b0\\n Code: d503201f f9401660 b900127f b900227f (f9400400)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: mediatek: vcodec: corrija el error cuando falla el inicio de HEVC El decodificador HEVC sin estado guarda el puntero de la instancia en el contexto independientemente de si la inicializaci\u00f3n funcion\u00f3 o no. Esto provoc\u00f3 un use after free, cuando el puntero se libera en caso de fallo en la funci\u00f3n deinit. Para resolver este problema, almacene \u00fanicamente el puntero de instancia cuando la inicializaci\u00f3n sea exitosa. Nombre del hardware: Acer Tomato (rev3 - 4) placa (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr: vcodec_send_ap_ipi+0x78 /0x170 [mtk_vcodec_dec] sp: ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: 310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9: 45c4d12b488 x8: 1fffe25339380d81 x7: 0000000000000001 x6: ffff1299c9c06c00 x5: 0000000000000132 x4: 0000000000000000 x3: 0000000000000 000 x2: 0000000000000010 x1: ffff80008750bc98 x0: 0000000000000000 Rastreo de llamadas : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 tk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release +0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 .0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/ 0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 C\u00f3digo: d503201f f9401660 b900127f b900227f (f9400400)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.