cve-2024-35921
Vulnerability from cvelistv5
Published
2024-05-19 10:10
Modified
2024-11-05 09:25
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix oops when HEVC init fails The stateless HEVC decoder saves the instance pointer in the context regardless if the initialization worked or not. This caused a use after free, when the pointer is freed in case of a failure in the deinit function. Only store the instance pointer when the initialization was successful, to solve this issue. Hardware name: Acer Tomato (rev3 - 4) board (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] sp : ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488 x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00 x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000 Call trace: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 Code: d503201f f9401660 b900127f b900227f (f9400400)
Impacted products
Vendor Product Version
Linux Linux Version: 6.5
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35921",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-29T18:19:45.547100Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:06.409Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:49.035Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ec25fc3c2c1e",
              "status": "affected",
              "version": "2674486aac7d",
              "versionType": "git"
            },
            {
              "lessThan": "521ce0ea7418",
              "status": "affected",
              "version": "2674486aac7d",
              "versionType": "git"
            },
            {
              "lessThan": "97c75ee5de06",
              "status": "affected",
              "version": "2674486aac7d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix oops when HEVC init fails\n\nThe stateless HEVC decoder saves the instance pointer in the context\nregardless if the initialization worked or not. This caused a use after\nfree, when the pointer is freed in case of a failure in the deinit\nfunction.\nOnly store the instance pointer when the initialization was successful,\nto solve this issue.\n\n Hardware name: Acer Tomato (rev3 - 4) board (DT)\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n sp : ffff80008750bc20\n x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000\n x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a\n x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000\n x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80\n x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488\n x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00\n x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000\n Call trace:\n  vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n  vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n  vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec]\n  vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec]\n  vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]\n  mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]\n  fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec]\n  v4l2_release+0x7c/0x100\n  __fput+0x80/0x2d8\n  __fput_sync+0x58/0x70\n  __arm64_sys_close+0x40/0x90\n  invoke_syscall+0x50/0x128\n  el0_svc_common.constprop.0+0x48/0xf0\n  do_el0_svc+0x24/0x38\n  el0_svc+0x38/0xd8\n  el0t_64_sync_handler+0xc0/0xc8\n  el0t_64_sync+0x1a8/0x1b0\n Code: d503201f f9401660 b900127f b900227f (f9400400)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:25:04.584Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b"
        }
      ],
      "title": "media: mediatek: vcodec: Fix oops when HEVC init fails",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35921",
    "datePublished": "2024-05-19T10:10:33.053Z",
    "dateReserved": "2024-05-17T13:50:33.124Z",
    "dateUpdated": "2024-11-05T09:25:04.584Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35921\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-19T11:15:48.443\",\"lastModified\":\"2024-05-20T13:00:04.957\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mediatek: vcodec: Fix oops when HEVC init fails\\n\\nThe stateless HEVC decoder saves the instance pointer in the context\\nregardless if the initialization worked or not. This caused a use after\\nfree, when the pointer is freed in case of a failure in the deinit\\nfunction.\\nOnly store the instance pointer when the initialization was successful,\\nto solve this issue.\\n\\n Hardware name: Acer Tomato (rev3 - 4) board (DT)\\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\\n lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\\n sp : ffff80008750bc20\\n x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000\\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\\n x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000\\n x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a\\n x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000\\n x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80\\n x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488\\n x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00\\n x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000\\n x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000\\n Call trace:\\n  vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\\n  vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\\n  vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec]\\n  vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec]\\n  vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]\\n  mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]\\n  fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec]\\n  v4l2_release+0x7c/0x100\\n  __fput+0x80/0x2d8\\n  __fput_sync+0x58/0x70\\n  __arm64_sys_close+0x40/0x90\\n  invoke_syscall+0x50/0x128\\n  el0_svc_common.constprop.0+0x48/0xf0\\n  do_el0_svc+0x24/0x38\\n  el0_svc+0x38/0xd8\\n  el0t_64_sync_handler+0xc0/0xc8\\n  el0t_64_sync+0x1a8/0x1b0\\n Code: d503201f f9401660 b900127f b900227f (f9400400)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: mediatek: vcodec: corrija el error cuando falla el inicio de HEVC El decodificador HEVC sin estado guarda el puntero de la instancia en el contexto independientemente de si la inicializaci\u00f3n funcion\u00f3 o no. Esto provoc\u00f3 un use after free, cuando el puntero se libera en caso de fallo en la funci\u00f3n deinit. Para resolver este problema, almacene \u00fanicamente el puntero de instancia cuando la inicializaci\u00f3n sea exitosa. Nombre del hardware: Acer Tomato (rev3 - 4) placa (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr: vcodec_send_ap_ipi+0x78 /0x170 [mtk_vcodec_dec] sp: ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: 310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9: 45c4d12b488 x8: 1fffe25339380d81 x7: 0000000000000001 x6: ffff1299c9c06c00 x5: 0000000000000132 x4: 0000000000000000 x3: 0000000000000 000 x2: 0000000000000010 x1: ffff80008750bc98 x0: 0000000000000000 Rastreo de llamadas : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 tk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release +0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 .0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/ 0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 C\u00f3digo: d503201f f9401660 b900127f b900227f (f9400400)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.