Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-w3g9-f95x-pwmf

Опубликовано: 24 дек. 2025
Источник: github
Github: Не прошло ревью

Описание

In the Linux kernel, the following vulnerability has been resolved:

media: mtk-jpeg: Fix use after free bug due to uncanceled work

In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug.

Fix it by canceling the work before cleanup in the mtk_jpeg_remove

CPU0 CPU1

|mtk_jpeg_job_timeout_work

mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use

In the Linux kernel, the following vulnerability has been resolved:

media: mtk-jpeg: Fix use after free bug due to uncanceled work

In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug.

Fix it by canceling the work before cleanup in the mtk_jpeg_remove

CPU0 CPU1

|mtk_jpeg_job_timeout_work

mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use

Ссылки

CVE ID

CVE-2023-54103

Связанные уязвимости

ubuntu логотип

CVE-2023-54103

ubuntu
около 2 месяцев назад

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

nvd логотип

CVE-2023-54103

nvd
около 2 месяцев назад

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE ID

CVE-2023-54103