Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-35921

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
19/05/2024
Last modified:
30/12/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Fix oops when HEVC init fails<br /> <br /> The stateless HEVC decoder saves the instance pointer in the context<br /> regardless if the initialization worked or not. This caused a use after<br /> free, when the pointer is freed in case of a failure in the deinit<br /> function.<br /> Only store the instance pointer when the initialization was successful,<br /> to solve this issue.<br /> <br /> Hardware name: Acer Tomato (rev3 - 4) board (DT)<br /> pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]<br /> lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]<br /> sp : ffff80008750bc20<br /> x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000<br /> x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000<br /> x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000<br /> x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a<br /> x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000<br /> x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80<br /> x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488<br /> x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00<br /> x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000<br /> Call trace:<br /> vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]<br /> vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]<br /> vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec]<br /> vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec]<br /> vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]<br /> mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]<br /> fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec]<br /> v4l2_release+0x7c/0x100<br /> __fput+0x80/0x2d8<br /> __fput_sync+0x58/0x70<br /> __arm64_sys_close+0x40/0x90<br /> invoke_syscall+0x50/0x128<br /> el0_svc_common.constprop.0+0x48/0xf0<br /> do_el0_svc+0x24/0x38<br /> el0_svc+0x38/0xd8<br /> el0t_64_sync_handler+0xc0/0xc8<br /> el0t_64_sync+0x1a8/0x1b0<br /> Code: d503201f f9401660 b900127f b900227f (f9400400)

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.5 (including) 6.6.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.8.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools