Skip to content

CVE-2024-23848: media: cec: use-after-free in cec_queue_msg_fh

Kate Hsuan requested to merge hpa1/centos-stream-9:CVE2024-23848-3 into main

JIRA: https://issues.redhat.com/browse/RHEL-22561
CVE: CVE-2024-23848

buildinfo: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=62330527

These four patches fixed the use-after-free issue for media cec. The patches include:
9fe2816816a3c765dff3b88af5b5c3d9bbb911ce
42bcaacae924bf18ae387c3f78c202df0b739292
47c82aac10a6954d68f29f10d9758d016e8e5af1
cbe499977bc36fedae89f0a0d7deb4ccde9798fe

Moreover, to backport these fix patches, a certain backport for cec was required and the patches were as follows:

cbe499977bc36fedae89f0a0d7deb4ccde9798fe media: cec: core: avoid confusing "transmit timed out" message
47c82aac10a6954d68f29f10d9758d016e8e5af1 media: cec: core: avoid recursive cec_claim_log_addrs
9fe2816816a3c765dff3b88af5b5c3d9bbb911ce media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
ce5d241c3ad4568c12842168288993234345c0eb media: cec: core: remove length check of Timer Status
632b8b044a940e415c6d9bd5235778b0db28add1 media: cec: core: count low-drive, error and arb-lost conditions
f208f4a49a46cc04f51b0c335d4b6390fbfcd1b8 media: cec: core: add note about *_from_edid() function usage in drm
948a77aaecf202f722cf2264025f9987e5bd5c26 media: cec: core: add adap_unconfigured() callback
da53c36ddd3f118a525a04faa8c47ca471e6c467 media: cec: core: add adap_nb_transmit_canceled() callback
73af6c7511038249cad3d5f3b44bf8d78ac0f499 media: cec: core: don't set last_initiator if tx in progress
fe4526d99e2e06b08bb80316c3a596ea6a807b75 media: cec: core: disable adapter in cec_devnode_unregister
6bade236f14033fa457a9e22ceb8a114a14d90e3 media: cec: core: not all messages were passed on when monitoring
479747caa5bfa94b856bf47249006e6c8aa8be37 media: cec: add support for Absolute Volume Control
691c3db0dc7616b3cc4ff0f52f956c9afa71b1cd media: cec-adap.c: log when claiming LA fails unexpectedly
f9222f8ca18bcb1d55dd749b493b29fd8092fb82 media: cec-adap.c: drop activate_cnt, use state info instead
e3891b36364e85914fcb7a535656695a67e876a7 media: cec-adap.c: reconfigure if the PA changes during configuration
59267fc34f4900dcd2ec3295f6be04b79aee2186 media: cec-adap.c: fix is_configuring state
184c387db057c135eeab1a163f863838edb02483 media: cec-adap.c: stop trying LAs on CEC_TX_STATUS_TIMEOUT
498946cf6b85b5eafb142132a11351814f578535 media: cec-adap.c: don't unconfigure if already unconfigured
f1b57164305d6342b9f77a4f4482cde492b56983 media: cec: add optional adap_configured callback
dad272bd03d541dc7c0ff8331756eccf659f6f02 media: cec: add xfer_timeout_ms field
e2ed5024ac2bc27d4bfc99fd58f5ab54de8fa965 media: cec: use call_op and check for !unregistered
f9d0ecbf56f4b90745a6adc5b59281ad8f70ab54 media: cec: correctly pass on reply results
590a8e564c6eff7e77a84e728612f1269e3c0685 media: cec: abort if the current transmit was canceled
3813c932ed970dd4f413498ccecb03c73c4f1784 media: cec: call enable_adap on s_log_addrs
a9e6107616bb8108aa4fc22584a05e69761a91f7 media: cec: fix a deadlock situation
2ddd03309433d39852945c2f85d36e796c558793 media: cec: safely unhook lists in cec_data
13cbaa4c2b7bf9f8285e1164d005dbf08244ecd5 media: cec: copy sequence field for the reply

713bdfa10b5957053811470d298def9537d9ff13 media: cec-pin: fix interrupt en/disable handling
3a2e4b193690ff2e44e95856d90bdeaf337211f6 media: cec-pin: drop unused 'enabled' field from struct cec_pin
7e360fa0c0f3e7dd1aa8f2b574d7b461d0caf5e2 media: cec-pin: fix off-by-one SFT check
c8b263937c489ec536193bbe48d810118a387e12 media: cec-pin: rename timer overrun variables

Signed-off-by: Kate Hsuan hpa@redhat.com

Edited by Kate Hsuan

Merge request reports