Skip to content

[FIPS 9.2 Compliant] CVE-2024-58002 #603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 17, 2025
Merged

[FIPS 9.2 Compliant] CVE-2024-58002 #603

merged 3 commits into from
Oct 17, 2025

Conversation

@PlaidCat
Copy link
Collaborator

@PlaidCat PlaidCat commented Oct 1, 2025 

    media: uvcvideo: Remove dangling pointers

    jira VULN-53466
    cve CVE-2024-58002
    commit-author Ricardo Ribalda <ribalda@chromium.org>
    commit 221cd51efe4565501a3dbf04cc011b537dcce7fb
    upstream-diff We are missing 54da6a092431 - "locking: Introduce __cleanup()
        based infrastructure" which is part of an extremely large
        changeset.  Integrating this is not viable, so we're going to
        use the same update as the KERNEL_ORG-LT 5.15 backport:
        117f7a2975ba. This replaces the guard with a standard
        mutex_lock().

    media: uvcvideo: Only save async fh if success

    jira VULN-53466
    cve-pre CVE-2024-58002
    commit-author Ricardo Ribalda <ribalda@chromium.org>
    commit d9fecd096f67a4469536e040a8a10bbfb665918b

    media: uvcvideo: Refactor iterators

    jira VULN-53466
    cve-pre CVE-2024-58002
    commit-author Ricardo Ribalda <ribalda@chromium.org>
    commit 64627daf0c5f7838111f52bbbd1a597cb5d6871a

BUILD

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
  CLEAN   scripts/mod
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   include/config include/generated arch/x86/include/generated .config .config.old .version Module.symvers certs/signing_key.pem certs/signing_key.x509 certs/x509.genkey
[TIMER]{MRPROPER}: 9s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  LD [M]  sound/xen/snd_xen_front.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  BTF [M] sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1307s
Making Modules
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  STRIP   /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+
[TIMER]{MODULES}: 7s
Making Install
sh ./arch/x86/boot/install.sh \
        5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 24s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 9s
[TIMER]{BUILD}: 1307s
[TIMER]{MODULES}: 7s
[TIMER]{INSTALL}: 24s
[TIMER]{TOTAL} 1352s
Rebooting in 10 seconds

KselfTest

[jmaple@devbox code]$ ~/workspace/auto_kernel_history_rebuild/Rocky10/rocky10/code/get_kselftest_diff.sh
kselftest.5.14.0-284.30.1.el9_2.ciqfips.0.14.1.x86_64.log
314
kselftest.5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+.log
313
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-4db430364722+.log
314
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+.log
325
Before: kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-4db430364722+.log
After: kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+.log
Diff:
+ok 12 selftests: x86: fsgsbase_restore_64
+ok 13 selftests: x86: sigaltstack_64
+ok 14 selftests: x86: fsgsbase_64
+ok 15 selftests: x86: sysret_rip_64
+ok 16 selftests: x86: syscall_numbering_64
+ok 17 selftests: x86: corrupt_xstate_header_64
+ok 2 selftests: x86: sysret_ss_attrs_64
+ok 3 selftests: x86: syscall_nt_64
+ok 4 selftests: x86: test_mremap_vdso_64
+ok 5 selftests: x86: check_initial_reg_state_64
-ok 6 selftests: net: tls
-ok 6 selftests: timers: inconsistency-check
+ok 7 selftests: x86: iopl_64
+ok 8 selftests: x86: ioperm_64
+ok 9 selftests: x86: test_vsyscall_64

KselfTest Diff Experimental

#!/bin/bash

FILES=$(ls -rt kselftest.* | tail -n4)

while read -r line; do
        echo $line; grep '^ok ' $line | wc -l ;
done <<< "$FILES"

BEFORE=""
AFTER+=""

while read -r line; do
    BEFORE=${AFTER}
    AFTER=${line}
done <<< "$FILES"

echo "Before: $BEFORE"
echo "After: $AFTER"
echo "Diff:"
DIFF=$(grep ok <(diff -adU0 <(grep ^ok "${BEFORE}" | sort -h) <(grep ^ok "${AFTER}" | sort -h)))
if [ -z "$DIFF" ]; then
    echo "No differences found."
else
    echo "$DIFF"
fi

@PlaidCat PlaidCat self-assigned this Oct 1, 2025
Copilot AI reviewed Oct 1, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses CVE-2024-58002 by implementing a comprehensive fix for dangling pointer issues in the UVC video driver. The changes introduce proper reference counting and cleanup mechanisms for asynchronous control handles to prevent use-after-free vulnerabilities.

Key changes:

  • Added reference counting for pending asynchronous controls per file handle
  • Implemented proper cleanup of dangling pointers when file handles are released
  • Refactored control handle management with thread-safe operations

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
drivers/media/usb/uvc/uvcvideo.h Added pending_async_ctrls field and uvc_ctrl_cleanup_fh declaration
drivers/media/usb/uvc/uvc_v4l2.c Added cleanup call in file release handler
drivers/media/usb/uvc/uvc_ctrl.c Implemented reference counting and cleanup logic for control handles

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

bmastbergen
bmastbergen reviewed Oct 1, 2025
View reviewed changes
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch from a6c2456 to 7775b45 Compare October 3, 2025 13:52
@PlaidCat
Copy link
Collaborator Author

PlaidCat commented Oct 3, 2025

I would say this was a test to catch Co-Pilot and reviewers but in reality it was me moving too fast with too many spinning plates.

bmastbergen
bmastbergen approved these changes Oct 3, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

kerneltoast
kerneltoast requested changes Oct 3, 2025
View reviewed changes
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch 2 times, most recently from c48b137 to 98202de Compare October 3, 2025 22:24
@PlaidCat
media: uvcvideo: Refactor iterators
113b58c 
jira VULN-53466
cve-pre CVE-2024-58002
commit-author Ricardo Ribalda <ribalda@chromium.org>
commit 64627da

Avoid using the iterators after the list_for_each() constructs.
This patch should be a NOP, but makes cocci, happier:

drivers/media/usb/uvc/uvc_ctrl.c:1861:44-50: ERROR: invalid reference to the index variable of the iterator on line 1850
drivers/media/usb/uvc/uvc_ctrl.c:2195:17-23: ERROR: invalid reference to the index variable of the iterator on line 2179

	Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
	Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
	Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
	Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
(cherry picked from commit 64627da)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@PlaidCat
media: uvcvideo: Only save async fh if success
9d5d63e 
jira VULN-53466
cve-pre CVE-2024-58002
commit-author Ricardo Ribalda <ribalda@chromium.org>
commit d9fecd0

Now we keep a reference to the active fh for any call to uvc_ctrl_set,
regardless if it is an actual set or if it is a just a try or if the
device refused the operation.

We should only keep the file handle if the device actually accepted
applying the operation.

	Cc: stable@vger.kernel.org
Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives")
	Suggested-by: Hans de Goede <hdegoede@redhat.com>
	Reviewed-by: Hans de Goede <hdegoede@redhat.com>
	Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
	Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://lore.kernel.org/r/20241203-uvc-fix-async-v6-1-26c867231118@chromium.org
	Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
	Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
(cherry picked from commit d9fecd0)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch from 98202de to aeb4a52 Compare October 16, 2025 22:05
@PlaidCat
Copy link
Collaborator Author

PlaidCat commented Oct 16, 2025

Updated

Kbuild

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
Running make mrproper...
[TIMER]{MRPROPER}: 5s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] sound/xen/snd_xen_front.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1297s
Making Modules
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  STRIP   /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+
[TIMER]{MODULES}: 7s
Making Install
sh ./arch/x86/boot/install.sh \
        5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 21s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+ and Index to 1
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 5s
[TIMER]{BUILD}: 1297s
[TIMER]{MODULES}: 7s
[TIMER]{INSTALL}: 21s
[TIMER]{TOTAL} 1336s
Rebooting in 10 seconds

KselfTests

[jmaple@devbox code]$ ~/workspace/auto_kernel_history_rebuild/Rocky10/rocky10/code/get_kselftest_diff.sh
kselftest.5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+.log
313
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-4db430364722+.log
314
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+.log
325
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+.log
320
Before: kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+.log
After: kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-aeb4a5234123+.log
Diff:
+ok 11 selftests: proc: proc-uptime-001
-ok 1 selftests: pidfd: pidfd_test
-ok 2 selftests: pidfd: pidfd_fdinfo_test
-ok 3 selftests: pidfd: pidfd_open_test
-ok 4 selftests: pidfd: pidfd_poll_test
-ok 5 selftests: pidfd: pidfd_wait
-ok 6 selftests: pidfd: pidfd_getfd_test
+ok 6 selftests: timers: inconsistency-check
-ok 7 selftests: pidfd: pidfd_setns_test

kerneltoast
kerneltoast requested changes Oct 16, 2025
View reviewed changes
Copy link
Collaborator

@kerneltoast kerneltoast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good, just two nits on the upstream-diff blurb in media: uvcvideo: Remove dangling pointers:

upstream-diff used kernel-lt 5.15 commit 117f7a2
	This is due to missing both:
	 - 54da6a0 - locking: Introduce __cleanup() based infrastructure

  1. Those shortened commit hashes are too short to identify a single specific commit, use e.g. git rev-parse --short SHA to get the shortest unique hash.

  2. "This is due to missing both:" but only one thing is listed.

@PlaidCat PlaidCat requested a review from kerneltoast October 17, 2025 14:58
@PlaidCat
media: uvcvideo: Remove dangling pointers
b0a8286 
jira VULN-53466
cve CVE-2024-58002
commit-author Ricardo Ribalda <ribalda@chromium.org>
commit 221cd51
upstream-diff used kernel-lt 5.15 commit 117f7a2
	This is due to missing:
	 - 54da6a0 - locking: Introduce __cleanup() based infrastructure

When an async control is written, we copy a pointer to the file handle
that started the operation. That pointer will be used when the device is
done. Which could be anytime in the future.

If the user closes that file descriptor, its structure will be freed,
and there will be one dangling pointer per pending async control, that
the driver will try to use.

Clean all the dangling pointers during release().

To avoid adding a performance penalty in the most common case (no async
operation), a counter has been introduced with some logic to make sure
that it is properly handled.

	Cc: stable@vger.kernel.org
Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives")
	Reviewed-by: Hans de Goede <hdegoede@redhat.com>
	Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
	Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20241203-uvc-fix-async-v6-3-26c867231118@chromium.org
	Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
	Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
(cherry picked from commit 221cd51)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch from aeb4a52 to b0a8286 Compare October 17, 2025 15:11
kerneltoast
kerneltoast approved these changes Oct 17, 2025
View reviewed changes
Copy link
Collaborator

@kerneltoast kerneltoast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

@PlaidCat PlaidCat merged commit 28bd6c4 into fips-9-compliant/5.14.0-284.30.1 Oct 17, 2025
3 checks passed
@PlaidCat PlaidCat deleted the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch October 17, 2025 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kerneltoast kerneltoast kerneltoast approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@roxanan1996 roxanan1996 Awaiting requested review from roxanan1996

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Assignees

@PlaidCat PlaidCat

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@PlaidCat @kerneltoast @bmastbergen