[LTS 9.4] media: uvcvideo: Remove dangling pointers #548
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-53465 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <[email protected]> commit 64627da Avoid using the iterators after the list_for_each() constructs. This patch should be a NOP, but makes cocci, happier: drivers/media/usb/uvc/uvc_ctrl.c:1861:44-50: ERROR: invalid reference to the index variable of the iterator on line 1850 drivers/media/usb/uvc/uvc_ctrl.c:2195:17-23: ERROR: invalid reference to the index variable of the iterator on line 2179 Reviewed-by: Sergey Senozhatsky <[email protected]> Reviewed-by: Laurent Pinchart <[email protected]> Signed-off-by: Ricardo Ribalda <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> (cherry picked from commit 64627da) Signed-off-by: Marcin Wcisło <[email protected]>
jira VULN-53465 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <[email protected]> commit d9fecd0 Now we keep a reference to the active fh for any call to uvc_ctrl_set, regardless if it is an actual set or if it is a just a try or if the device refused the operation. We should only keep the file handle if the device actually accepted applying the operation. Cc: [email protected] Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives") Suggested-by: Hans de Goede <[email protected]> Reviewed-by: Hans de Goede <[email protected]> Reviewed-by: Laurent Pinchart <[email protected]> Signed-off-by: Ricardo Ribalda <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Laurent Pinchart <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> (cherry picked from commit d9fecd0) Signed-off-by: Marcin Wcisło <[email protected]>
jira VULN-53465 cve CVE-2024-58002 commit-author Ricardo Ribalda <[email protected]> commit 221cd51 When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled. Cc: [email protected] Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives") Reviewed-by: Hans de Goede <[email protected]> Signed-off-by: Ricardo Ribalda <[email protected]> Reviewed-by: Laurent Pinchart <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Laurent Pinchart <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> (cherry picked from commit 221cd51) Signed-off-by: Marcin Wcisło <[email protected]>
PlaidCat
requested review from
kerneltoast,
PlaidCat,
bmastbergen,
thefossguy-ciq and
shreeya-patel98
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 9.4]
CVE-2024-58002
VULN-53465
Problem
https://access.redhat.com/security/cve/CVE-2024-58002
Applicability: yes
The affected module is "USB Video Class",
uvcvideo.ko. Enabled byCONFIG_USB_VIDEO_CLASS, set tomin all config files ofciqlts9_4:The fixing commit 221cd51 is not backported, the "Fixes" commit e5225c8 can be found natively in
ciqlts9_4's history.Solution
The fixing commit 221cd51 could not have been cherry picked without conflicts. It's useful to compare the timeline of the modified files
drivers/media/usb/uvc/{uvc_ctrl.c,uvc_v4l2.c,uvcvideo.h}, for LTS 9.4 and Linux stable 5.15 as this fix was backported to 5.15 and the 5.15 version is only a few commits ahead of LTS 9.4:(Full timeline.log)
Legend:
Since the latest version 6d00f4e for
ciqlts9_4there was a set of 6 commits to consider as the domain of possible prerequisites: 04d3398, d9fecd0, c31cffd, a9ea1a3, 8641968, e0360e0 (actually could have been more, but the solution was found within this heuristic starting point). The subset 64627da, d9fecd0 was found to secure the clean cherry pick of the mainline fix 221cd51 while also being the smallest. Thus, the legend continued:It can be noticed that the 5.15 backport actually differs slightly from the mainline version in how mutex is locked in the
uvc_ctrl_cleanup_fh(…)function.Mainline:
kernel-src-tree/drivers/media/usb/uvc/uvc_ctrl.c
Lines 2810 to 2828 in 221cd51
Stable 5.15:
kernel-src-tree/drivers/media/usb/uvc/uvc_ctrl.c
Lines 2590 to 2612 in 117f7a2
This is because the the include/linux/cleanup.h file, where the
guard(…)macro is defined, is missing from the 5.15 version. It was backported tociqlts9_4, however, in the 880fe86 commit, therefore the mainline version of the patch was used in this backport.kABI check: passed
Boot test: passed
Including the "boot test" of the
uvcvideo.komodule, that is its loading:boot-test.log
Kselftests: passed relative
Coverage
bpf(onlytest_cgroup_storage,test_tag,test_sysctl,test_verifier,test_tcpnotify_user,test_sock,test_lpm_map,test_lru_map),breakpoints(onlybreakpoint_test),capabilities,clone3,cpu-hotplug,cpufreq,drivers/dma-buf,drivers/net/bonding(all exceptbond_macvlan.sh),drivers/net/team,exec,filesystems/binderfs,filesystems/epoll,firmware,fpu,ftrace,futex,gpio,intel_pstate,iommu,ipc,ir,kcmp,kexec,kvm,landlock,lib,livepatch,membarrier,memfd,memory-hotplug,mincore,mount,mqueue,nci,net/forwarding(all exceptsch_tbf_prio.sh,ipip_hier_gre_keys.sh,sch_tbf_root.sh,tc_actions.sh,gre_inner_v6_multipath.sh,q_in_vni.sh,tc_police.sh,sch_ets.sh,mirror_gre_vlan_bridge_1q.sh,mirror_gre_bridge_1d_vlan.sh,router_bridge_1d_lag.sh,sch_red.sh,bridge_igmp.sh,ip6gre_inner_v6_multipath.sh,dual_vxlan_bridge.sh,vxlan_bridge_1d_ipv6.sh,router_bridge_lag.sh,sch_tbf_ets.sh),net/hsr,net/mptcp(all exceptsimult_flows.sh,userspace_pm.sh,mptcp_join.sh),net(all exceptreuseport_addr_any.sh,srv6_end_flavors_test.sh,fib_nexthops.sh,gro.sh,reuseaddr_conflict,srv6_end_dt4_l3vpn_test.sh,srv6_end_dt6_l3vpn_test.sh,txtimestamp.sh,udpgso_bench.sh,srv6_end_dt46_l3vpn_test.sh,xfrm_policy.sh,ip_defrag.sh,udpgro_fwd.sh),netfilter(all exceptnft_trans_stress.sh),nsfs,pid_namespace,pidfd,proc(all exceptproc-uptime-001,proc-pid-vm),pstore,ptrace,rlimits,rseq,seccomp,sgx,sigaltstack,size,splice,static_keys,syscall_user_dispatch,tc-testing,tdx,timens,timers,tmpfs,tpm2,tty,vDSO,x86,zramReference
kselftests–ciqlts9_4–run1.log
Patch
kselftests–ciqlts9_4-CVE-2024-58002–run1.log
kselftests–ciqlts9_4-CVE-2024-58002–run2.log
Comparison
The tests results for the reference and the patch are the same.
Specific tests: skipped