A recent vulnerability discovered in the Linux kernel, specifically in the media V4L async sub-system, has now been resolved. The vulnerability is in the duplicated list deletion process and could potentially lead to kernel errors and result in system instability. In this post, we will discuss the details of the vulnerability, how to reproduce it, and the steps taken to resolve it.
Description of the vulnerability
In the media V4L async subsystem of the Linux kernel, there is an issue where a duplicated list deletion causes kernel errors and potential system instability. The problem lies within the second list_del() call, where the operation can result in either a warning (when CONFIG_DEBUG_LIST=y) or a kernel error (when CONFIG_DEBUG_LIST is disabled) due to NULL pointer dereference. The warning scenario would result in the following error message:
"list_del corruption, c46c8198->next is LIST_POISON1 (00000100)"
Code snippet illustrating the issue
static void v4l2_async_cleanup(struct v4l2_async_devinfo *info)
{
if (list_empty(&info->asd_list))
return;
list_splice_init(&info->asd_list, &v4l2_async_cleanup_list);
list_del(&v4l2_async_cleanup_list);
v4l2_async_cleanup_nodes();
}
In the code snippet above, the second list_del() call is unnecessary since the helper function list_splice() has already taken care of deleting the list. As a result, this could potentially lead to kernel errors or warnings.
Reproducing the vulnerability
This vulnerability can be reproduced by using specific hardware configurations, such as video devices with malfunctioning or corrupted firmware causing duplicated list deletion scenarios.
Here are the links to the patches and discussions on the Linux kernel mailing list
- [PATCH] media: v4l: async: Fix duplicated list deletion: (https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg3005129.html)
- [Media-v4l: async: Fix duplicated list deletion] (https://www.spinics.net/lists/linux-media/msg188489.html)
Resolution
The fix for this vulnerability involves removing the unnecessary list_del() call from the code snippet. By doing this, the potential kernel errors and warnings will be avoided.
New, corrected code snippet
static void v4l2_async_cleanup(struct v4l2_async_devinfo *info)
{
if (list_empty(&info->asd_list))
return;
list_splice_init(&info->asd_list, &v4l2_async_cleanup_list);
v4l2_async_cleanup_nodes();
}
With this fix, users with relevant hardware configurations can avoid experiencing potential kernel errors and increased system stability. The Linux kernel community has been vigilant in identifying and resolving such vulnerabilities, and we encourage everyone to keep their systems up-to-date with the latest patches to ensure safety and stability.
Timeline
Published on: 02/23/2024 15:15:08 UTC
Last modified on: 04/19/2024 18:49:47 UTC