CVE-2024-58054
Publication date:
06/03/2025
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
staging: media: max96712: fix kernel oops when removing module<br />
<br />
The following kernel oops is thrown when trying to remove the max96712<br />
module:<br />
<br />
Unable to handle kernel paging request at virtual address 00007375746174db<br />
Mem abort info:<br />
ESR = 0x0000000096000004<br />
EC = 0x25: DABT (current EL), IL = 32 bits<br />
SET = 0, FnV = 0<br />
EA = 0, S1PTW = 0<br />
FSC = 0x04: level 0 translation fault<br />
Data abort info:<br />
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br />
CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br />
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br />
user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000<br />
[00007375746174db] pgd=0000000000000000, p4d=0000000000000000<br />
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br />
Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan<br />
snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2<br />
imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev<br />
snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils<br />
max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse<br />
[last unloaded: imx8_isi]<br />
CPU: 0 UID: 0 PID: 754 Comm: rmmod<br />
Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17<br />
Tainted: [C]=CRAP<br />
Hardware name: NXP i.MX95 19X19 board (DT)<br />
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br />
pc : led_put+0x1c/0x40<br />
lr : v4l2_subdev_put_privacy_led+0x48/0x58<br />
sp : ffff80008699bbb0<br />
x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000<br />
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000<br />
x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8<br />
x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000<br />
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br />
x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000<br />
x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010<br />
x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d<br />
x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1<br />
x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473<br />
Call trace:<br />
led_put+0x1c/0x40<br />
v4l2_subdev_put_privacy_led+0x48/0x58<br />
v4l2_async_unregister_subdev+0x2c/0x1a4<br />
max96712_remove+0x1c/0x38 [max96712]<br />
i2c_device_remove+0x2c/0x9c<br />
device_remove+0x4c/0x80<br />
device_release_driver_internal+0x1cc/0x228<br />
driver_detach+0x4c/0x98<br />
bus_remove_driver+0x6c/0xbc<br />
driver_unregister+0x30/0x60<br />
i2c_del_driver+0x54/0x64<br />
max96712_i2c_driver_exit+0x18/0x1d0 [max96712]<br />
__arm64_sys_delete_module+0x1a4/0x290<br />
invoke_syscall+0x48/0x10c<br />
el0_svc_common.constprop.0+0xc0/0xe0<br />
do_el0_svc+0x1c/0x28<br />
el0_svc+0x34/0xd8<br />
el0t_64_sync_handler+0x120/0x12c<br />
el0t_64_sync+0x190/0x194<br />
Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)<br />
---[ end trace 0000000000000000 ]---<br />
<br />
This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()<br />
is called again and the data is overwritten to point to sd, instead of<br />
priv. So, in remove(), the wrong pointer is passed to<br />
v4l2_async_unregister_subdev(), leading to a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025