CVE-2025-40016

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID<br /> <br /> Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero<br /> unique ID.<br /> <br /> ```<br /> Each Unit and Terminal within the video function is assigned a unique<br /> identification number, the Unit ID (UID) or Terminal ID (TID), contained in<br /> the bUnitID or bTerminalID field of the descriptor. The value 0x00 is<br /> reserved for undefined ID,<br /> ```<br /> <br /> If we add a new entity with id 0 or a duplicated ID, it will be marked<br /> as UVC_INVALID_ENTITY_ID.<br /> <br /> In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require<br /> entities to have a non-zero unique ID"), we ignored all the invalid units,<br /> this broke a lot of non-compatible cameras. Hopefully we are more lucky<br /> this time.<br /> <br /> This also prevents some syzkaller reproducers from triggering warnings due<br /> to a chain of entities referring to themselves. In one particular case, an<br /> Output Unit is connected to an Input Unit, both with the same ID of 1. But<br /> when looking up for the source ID of the Output Unit, that same entity is<br /> found instead of the input entity, which leads to such warnings.<br /> <br /> In another case, a backward chain was considered finished as the source ID<br /> was 0. Later on, that entity was found, but its pads were not valid.<br /> <br /> Here is a sample stack trace for one of those cases.<br /> <br /> [ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd<br /> [ 20.830206] usb 1-1: Using ep0 maxpacket: 8<br /> [ 20.833501] usb 1-1: config 0 descriptor??<br /> [ 21.038518] usb 1-1: string descriptor 0 read error: -71<br /> [ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201)<br /> [ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!<br /> [ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!<br /> [ 21.042218] ------------[ cut here ]------------<br /> [ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0<br /> [ 21.043195] Modules linked in:<br /> [ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444<br /> [ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014<br /> [ 21.044639] Workqueue: usb_hub_wq hub_event<br /> [ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0<br /> [ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00<br /> [ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246<br /> [ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1<br /> [ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290<br /> [ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000<br /> [ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003<br /> [ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000<br /> [ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000<br /> [ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0<br /> [ 21.051136] PKRU: 55555554<br /> [ 21.051331] Call Trace:<br /> [ 21.051480] <br /> [ 21.051611] ? __warn+0xc4/0x210<br /> [ 21.051861] ? media_create_pad_link+0x2c4/0x2e0<br /> [ 21.052252] ? report_bug+0x11b/0x1a0<br /> [ 21.052540] ? trace_hardirqs_on+0x31/0x40<br /> [ 21.052901] ? handle_bug+0x3d/0x70<br /> [ 21.053197] ? exc_invalid_op+0x1a/0x50<br /> [ 21.053511] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 21.053924] ? media_create_pad_link+0x91/0x2e0<br /> [ 21.054364] ? media_create_pad_link+0x2c4/0x2e0<br /> [ 21.054834] ? media_create_pad_link+0x91/0x2e0<br /> [ 21.055131] ? _raw_spin_unlock+0x1e/0x40<br /> [ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210<br /> [ 21.055837] uvc_mc_register_entities+0x358/0x400<br /> [ 21.056144] uvc_register_chains+0x1<br /> ---truncated---