nvd-json-data-feeds/CVE-2023/CVE-2023-524xx/CVE-2023-52491.json

{
  "id": "CVE-2023-52491",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-03-11T18:15:16.807",
  "lastModified": "2024-12-12T17:32:00.693",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run\n\nIn mtk_jpeg_probe, &jpeg->job_timeout_work is bound with\nmtk_jpeg_job_timeout_work.\n\nIn mtk_jpeg_dec_device_run, if error happens in\nmtk_jpeg_set_dec_dst, it will finally start the worker while\nmark the job as finished by invoking v4l2_m2m_job_finish.\n\nThere are two methods to trigger the bug. If we remove the\nmodule, it which will call mtk_jpeg_remove to make cleanup.\nThe possible sequence is as follows, which will cause a\nuse-after-free bug.\n\nCPU0                  CPU1\nmtk_jpeg_dec_...    |\n  start worker\t    |\n                    |mtk_jpeg_job_timeout_work\nmtk_jpeg_remove     |\n  v4l2_m2m_release  |\n    kfree(m2m_dev); |\n                    |\n                    | v4l2_m2m_get_curr_priv\n                    |   m2m_dev->curr_ctx //use\n\nIf we close the file descriptor, which will call mtk_jpeg_release,\nit will have a similar sequence.\n\nFix this bug by starting timeout worker only if started jpegdec worker\nsuccessfully. Then v4l2_m2m_job_finish will only be called in\neither mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: medio: mtk-jpeg: Se corrigi\u00f3 el error de use-after-free debido al manejo de la ruta de error en mtk_jpeg_dec_device_run En mtk_jpeg_probe, &jpeg->job_timeout_work est\u00e1 vinculado con mtk_jpeg_job_timeout_work. En mtk_jpeg_dec_device_run, si ocurre un error en mtk_jpeg_set_dec_dst, finalmente iniciar\u00e1 el trabajador mientras marca el trabajo como finalizado invocando v4l2_m2m_job_finish. Hay dos m\u00e9todos para activar el error. Si eliminamos el m\u00f3dulo, llamar\u00e1 a mtk_jpeg_remove para realizar la limpieza. La secuencia posible es la siguiente, lo que provocar\u00e1 un error de use-after-free. CPU0 CPU1 mtk_jpeg_dec_... | empezar trabajador | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Si cerramos el descriptor de archivo, que llamar\u00e1 a mtk_jpeg_release, tendr\u00e1 una secuencia similar. Corrija este error iniciando el trabajador de tiempo de espera solo si inici\u00f3 el trabajador jpegdec exitosamente. Entonces v4l2_m2m_job_finish solo se llamar\u00e1 en mtk_jpeg_job_timeout_work o mtk_jpeg_dec_device_run."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "4.12",
              "versionEndExcluding": "5.10.210",
              "matchCriteriaId": "FFC7FC62-DD78-4B12-9C6A-57C3E33A3410"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "5.11",
              "versionEndExcluding": "5.15.149",
              "matchCriteriaId": "0D0465BB-4053-4E15-9137-6696EBAE90FD"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "5.16",
              "versionEndExcluding": "6.1.76",
              "matchCriteriaId": "32F0FEB3-5FE1-4400-A56D-886F09BE872E"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.2",
              "versionEndExcluding": "6.6.15",
              "matchCriteriaId": "87C718CB-AE3D-4B07-B4D9-BFF64183C468"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.7",
              "versionEndExcluding": "6.7.3",
              "matchCriteriaId": "58FD5308-148A-40D3-B36A-0CA6B434A8BF"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/1b1036c60a37a30caf6759a90fe5ecd06ec35590",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/206c857dd17d4d026de85866f1b5f0969f2a109e",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/43872f44eee6c6781fea1348b38885d8e78face9",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/6e2f37022f0fc0893da4d85a0500c9d547fffd4c",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/8254d54d00eb6cdb8367399c7f912eb8d354ecd7",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/9fec4db7fff54d9b0306a332bab31eac47eeb5f6",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/1b1036c60a37a30caf6759a90fe5ecd06ec35590",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/206c857dd17d4d026de85866f1b5f0969f2a109e",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/43872f44eee6c6781fea1348b38885d8e78face9",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/6e2f37022f0fc0893da4d85a0500c9d547fffd4c",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/8254d54d00eb6cdb8367399c7f912eb8d354ecd7",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/9fec4db7fff54d9b0306a332bab31eac47eeb5f6",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ]
    }
  ]
}