Skip to content

[FIPS 9.2 Compliant] CVE-2024-58002 #603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: fips-9-compliant/5.14.0-284.30.1
Choose a base branch
from
Open

[FIPS 9.2 Compliant] CVE-2024-58002 #603

wants to merge 3 commits into from

Conversation

PlaidCat
Copy link
Collaborator

@PlaidCat PlaidCat commented Oct 1, 2025 

    media: uvcvideo: Remove dangling pointers

    jira VULN-53466
    cve CVE-2024-58002
    commit-author Ricardo Ribalda <[email protected]>
    commit 221cd51efe4565501a3dbf04cc011b537dcce7fb
    upstream-diff We are missing 54da6a092431 - "locking: Introduce __cleanup()
        based infrastructure" which is part of an extremely large
        changeset.  Integrating this is not viable, so we're going to
        use the same update as the KERNEL_ORG-LT 5.15 backport:
        117f7a2975ba. This replaces the guard with a standard
        mutex_lock().

    media: uvcvideo: Only save async fh if success

    jira VULN-53466
    cve-pre CVE-2024-58002
    commit-author Ricardo Ribalda <[email protected]>
    commit d9fecd096f67a4469536e040a8a10bbfb665918b

    media: uvcvideo: Refactor iterators

    jira VULN-53466
    cve-pre CVE-2024-58002
    commit-author Ricardo Ribalda <[email protected]>
    commit 64627daf0c5f7838111f52bbbd1a597cb5d6871a

BUILD

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
  CLEAN   scripts/mod
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   include/config include/generated arch/x86/include/generated .config .config.old .version Module.symvers certs/signing_key.pem certs/signing_key.x509 certs/x509.genkey
[TIMER]{MRPROPER}: 9s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  LD [M]  sound/xen/snd_xen_front.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  BTF [M] sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1307s
Making Modules
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  STRIP   /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+
[TIMER]{MODULES}: 7s
Making Install
sh ./arch/x86/boot/install.sh \
        5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 24s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 9s
[TIMER]{BUILD}: 1307s
[TIMER]{MODULES}: 7s
[TIMER]{INSTALL}: 24s
[TIMER]{TOTAL} 1352s
Rebooting in 10 seconds

KselfTest

[jmaple@devbox code]$ ~/workspace/auto_kernel_history_rebuild/Rocky10/rocky10/code/get_kselftest_diff.sh
kselftest.5.14.0-284.30.1.el9_2.ciqfips.0.14.1.x86_64.log
314
kselftest.5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+.log
313
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-4db430364722+.log
314
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+.log
325
Before: kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-4db430364722+.log
After: kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+.log
Diff:
+ok 12 selftests: x86: fsgsbase_restore_64
+ok 13 selftests: x86: sigaltstack_64
+ok 14 selftests: x86: fsgsbase_64
+ok 15 selftests: x86: sysret_rip_64
+ok 16 selftests: x86: syscall_numbering_64
+ok 17 selftests: x86: corrupt_xstate_header_64
+ok 2 selftests: x86: sysret_ss_attrs_64
+ok 3 selftests: x86: syscall_nt_64
+ok 4 selftests: x86: test_mremap_vdso_64
+ok 5 selftests: x86: check_initial_reg_state_64
-ok 6 selftests: net: tls
-ok 6 selftests: timers: inconsistency-check
+ok 7 selftests: x86: iopl_64
+ok 8 selftests: x86: ioperm_64
+ok 9 selftests: x86: test_vsyscall_64

KselfTest Diff Experimental

#!/bin/bash

FILES=$(ls -rt kselftest.* | tail -n4)

while read -r line; do
        echo $line; grep '^ok ' $line | wc -l ;
done <<< "$FILES"

BEFORE=""
AFTER+=""

while read -r line; do
    BEFORE=${AFTER}
    AFTER=${line}
done <<< "$FILES"

echo "Before: $BEFORE"
echo "After: $AFTER"
echo "Diff:"
DIFF=$(grep ok <(diff -adU0 <(grep ^ok "${BEFORE}" | sort -h) <(grep ^ok "${AFTER}" | sort -h)))
if [ -z "$DIFF" ]; then
    echo "No differences found."
else
    echo "$DIFF"
fi

@PlaidCat
media: uvcvideo: Refactor iterators
68eef65 
jira VULN-53466
cve-pre CVE-2024-58002
commit-author Ricardo Ribalda <[email protected]>
commit 64627da

Avoid using the iterators after the list_for_each() constructs.
This patch should be a NOP, but makes cocci, happier:

drivers/media/usb/uvc/uvc_ctrl.c:1861:44-50: ERROR: invalid reference to the index variable of the iterator on line 1850
drivers/media/usb/uvc/uvc_ctrl.c:2195:17-23: ERROR: invalid reference to the index variable of the iterator on line 2179

	Reviewed-by: Sergey Senozhatsky <[email protected]>
	Reviewed-by: Laurent Pinchart <[email protected]>
	Signed-off-by: Ricardo Ribalda <[email protected]>
	Signed-off-by: Hans Verkuil <[email protected]>
(cherry picked from commit 64627da)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat
media: uvcvideo: Only save async fh if success
11ce137 
jira VULN-53466
cve-pre CVE-2024-58002
commit-author Ricardo Ribalda <[email protected]>
commit d9fecd0

Now we keep a reference to the active fh for any call to uvc_ctrl_set,
regardless if it is an actual set or if it is a just a try or if the
device refused the operation.

We should only keep the file handle if the device actually accepted
applying the operation.

	Cc: [email protected]
Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives")
	Suggested-by: Hans de Goede <[email protected]>
	Reviewed-by: Hans de Goede <[email protected]>
	Reviewed-by: Laurent Pinchart <[email protected]>
	Signed-off-by: Ricardo Ribalda <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Laurent Pinchart <[email protected]>
	Signed-off-by: Mauro Carvalho Chehab <[email protected]>
(cherry picked from commit d9fecd0)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat PlaidCat self-assigned this Oct 1, 2025
Copilot
Copilot AI reviewed Oct 1, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses CVE-2024-58002 by implementing a comprehensive fix for dangling pointer issues in the UVC video driver. The changes introduce proper reference counting and cleanup mechanisms for asynchronous control handles to prevent use-after-free vulnerabilities.

Key changes:

  • Added reference counting for pending asynchronous controls per file handle
  • Implemented proper cleanup of dangling pointers when file handles are released
  • Refactored control handle management with thread-safe operations

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
drivers/media/usb/uvc/uvcvideo.h Added pending_async_ctrls field and uvc_ctrl_cleanup_fh declaration
drivers/media/usb/uvc/uvc_v4l2.c Added cleanup call in file release handler
drivers/media/usb/uvc/uvc_ctrl.c Implemented reference counting and cleanup logic for control handles

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

bmastbergen
bmastbergen reviewed Oct 1, 2025
View reviewed changes
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch from a6c2456 to 7775b45 Compare October 3, 2025 13:52
@PlaidCat
Copy link
Collaborator Author

PlaidCat commented Oct 3, 2025

I would say this was a test to catch Co-Pilot and reviewers but in reality it was me moving too fast with too many spinning plates.

bmastbergen
bmastbergen approved these changes Oct 3, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

kerneltoast
kerneltoast requested changes Oct 3, 2025
View reviewed changes
drivers/media/usb/uvc/uvc_ctrl.c Outdated
Comment on lines 2617 to 2623
if (!handle->pending_async_ctrls){
mutex_unlock(&handle->chain->ctrl_mutex);
return;
}

list_for_each_entry(entity, &handle->chain->dev->entities, list) {
for (unsigned int i = 0; i < entity->ncontrols; ++i) {
Copy link
Collaborator

@kerneltoast kerneltoast Oct 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are differences here compared to the 5.15 version of this commit:

$ interdiffbkpt 7775b458062116b21c5a65c0366cfa3ae2d98161 117f7a2975ba
diff -u b/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
--- b/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2614,13 +2614,14 @@
 
 	mutex_lock(&handle->chain->ctrl_mutex);
 
-	if (!handle->pending_async_ctrls){
+	if (!handle->pending_async_ctrls) {
 		mutex_unlock(&handle->chain->ctrl_mutex);
 		return;
 	}
 
 	list_for_each_entry(entity, &handle->chain->dev->entities, list) {
-		for (unsigned int i = 0; i < entity->ncontrols; ++i) {
+		unsigned int i;
+		for (i = 0; i < entity->ncontrols; ++i) {
 			if (entity->controls[i].handle != handle)
 				continue;
 			uvc_ctrl_set_handle(handle, &entity->controls[i], NULL);

Apply that interdiff to make this patch the same as the 5.15 version, or just re-pick using the 5.15 SHA.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thats correct this kernel contains the -std=gnu11 commit
c1bb5aa

commit c1bb5aaa977654cc83839a6269a97302db05e6e4
Author: Waiman Long <[email protected]>
Date:   Tue Jun 7 17:44:36 2022 -0400

    Kbuild: move to -std=gnu11

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2074118
    Conflicts: The hunk for zh_TW/process/programming-language.rst is dropped
               as the file isn't in RHEL9.

    commit e8c07082a810fbb9db303a2b66b66b8d7e588b53
    Author: Arnd Bergmann <[email protected]>
    Date:   Tue, 8 Mar 2022 22:56:14 +0100

        Kbuild: move to -std=gnu11

[jmaple@devbox kernel-src-tree]$ git describe --contains c1bb5aaa977654cc83839a6269a97302db05e6e4
kernel-5.14.0-121.el9~7^2~1

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its clear though that my `upstream-diff is insufficient though

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

upstream-diff - Refenced kernel-lt 5.15 commit 117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50
     This is due to missing:
       - 54da6a092431 - locking: Introduce __cleanup() based infrastructure
     Leaving the loop as the mainline since this kernel branch contains:
       - e8c07082a810 - Kbuild: move to -std=gnu11 at c1bb5aaa9776

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the { issue on the if statement I'm not changing the for loop

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thats correct this kernel contains the -std=gnu11 commit

It does, but the code doesn't perfectly align with anything upstream anymore: it's a hybrid between the 5.15 patch and the mainline patch. IMO, for situations like these, it is better to choose one or the other in its entirety instead of diverging from both.

@PlaidCat PlaidCat force-pushed the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch from 7775b45 to c48b137 Compare October 3, 2025 22:20
@PlaidCat
media: uvcvideo: Remove dangling pointers
98202de 
jira VULN-53466
cve CVE-2024-58002
commit-author Ricardo Ribalda <[email protected]>
commit 221cd51
upstream-diff - Refenced kernel-lt 5.15 commit 117f7a2
    This is due to missing:
      - 54da6a0 - locking: Introduce __cleanup() based infrastructure
    Leaving the loop as the mainline since this kernel branch contains:
      - e8c0708 - Kbuild: move to -std=gnu11 at c1bb5aa

When an async control is written, we copy a pointer to the file handle
that started the operation. That pointer will be used when the device is
done. Which could be anytime in the future.

If the user closes that file descriptor, its structure will be freed,
and there will be one dangling pointer per pending async control, that
the driver will try to use.

Clean all the dangling pointers during release().

To avoid adding a performance penalty in the most common case (no async
operation), a counter has been introduced with some logic to make sure
that it is properly handled.

	Cc: [email protected]
Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives")
	Reviewed-by: Hans de Goede <[email protected]>
	Signed-off-by: Ricardo Ribalda <[email protected]>
	Reviewed-by: Laurent Pinchart <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Laurent Pinchart <[email protected]>
	Signed-off-by: Mauro Carvalho Chehab <[email protected]>
(cherry picked from commit 221cd51)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch from c48b137 to 98202de Compare October 3, 2025 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kerneltoast kerneltoast kerneltoast requested changes

Copilot code review Copilot Copilot left review comments

@bmastbergen bmastbergen bmastbergen approved these changes

@roxanan1996 roxanan1996 Awaiting requested review from roxanan1996

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Requested changes must be addressed to merge this pull request.

Assignees

@PlaidCat PlaidCat

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@PlaidCat @kerneltoast @bmastbergen