CVE-2023-52491 - Linux Kernel: Fixing Use-After-Free Bug in Media MTK-JPEG
The Linux kernel recently addressed a vulnerability in the media: mtk-jpeg component, which caused a use-after-free bug due to error path handling in mtk_jpeg_dec_device_run. This post will discuss the specifics of the vulnerability, including the code snippet associated with it and links to the original references where the issue and its solution were discussed.
Bug Overview
In the Linux kernel, the media: mtk-jpeg component (MediaTek's JPEG Decoder) is used for handling JPEG decoding tasks. The vulnerability was found in the error path handling while executing mtk_jpeg_dec_device_run. As a result, it may lead to a use-after-free bug in certain scenarios.
There are two methods to trigger the use-after-free bug
1. Removing the module: When the module is removed, the mtk_jpeg_remove function is called for cleanup. This causes a use-after-free bug in the following sequence:
| v4l2_m2m_get_curr_priv
| m2m_dev->curr_ctx //use
`
2. Closing the file descriptor: When the file descriptor is closed, it calls the mtk_jpeg_release function, which triggers a similar sequence.
Fix Implementation
To fix this use-after-free bug, the timeout worker should only be started if the jpegdec worker successfully began. Consequently, the v4l2_m2m_job_finish function will only be executed in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.
Original References
The issue was first reported and fixed by an external contributor, with further discussion provided on the Linux Kernel Mailing List. The is now addressed in the Linux kernel with the following patch: ec9f4e8a35af "media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run".
Exploit Details
As of now, there are no known public exploits targeting this specific vulnerability. However, an attacker could potentially leverage this use-after-free bug to cause a system crash or execute arbitrary code if they're able to trigger the bug. It is recommended for users to update their Linux kernel to the latest version to avoid potential exploitation of this vulnerability.
Timeline
Published on: 03/11/2024 18:15:16 UTC
Last modified on: 11/21/2024 08:39:53 UTC