Bug 2265795 (CVE-2023-52459)

Summary: CVE-2023-52459 kernel: v4l: async: Fix duplicated list deletion
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.8-rc1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the v4l2-async module in the Linux kernel. Under some conditions, the function to remove a linked list may be called twice and cause a NULL pointer dereference, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2265807    
Bug Blocks: 2265790    

Description Patrick Del Bello 2024-02-24 11:20:06 UTC 
The list deletion call dropped here is already called from the helper function in the line before. Having a second list_del()
call results in either a warning (with CONFIG_DEBUG_LIST=y): list_del corruption, c46c8198->next is LIST_POISON1 (00000100)
If CONFIG_DEBUG_LIST is disabled the operation results in a kernel error due to NULL pointer dereference.
Comment 1 Patrick Del Bello 2024-02-24 11:24:56 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2265807]
Comment 3 Justin M. Forbes 2024-02-27 00:13:50 UTC 
	Issue introduced in 6.6 with commit 28a1295795d8 and fixed in 6.6.14 with commit b7062628caea
	Issue introduced in 6.6 with commit 28a1295795d8 and fixed in 6.7.2 with commit 49d828114284
	Issue introduced in 6.6 with commit 28a1295795d8 and fixed in 6.8-rc1 with commit 3de6ee94aae7
Comment 4 Justin M. Forbes 2024-02-27 00:14:32 UTC 
This was fixed for Fedora with the 6.6.14 stable kernel updates.
Comment 6 Alex 2024-06-09 13:12:14 UTC 
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2023-52459 is: 	SKIP	The Fixes patch not applied yet, so unlikely that actual: 28a1295795d85a25f2e7dd391c43969e95fcb341	YES			NO	NO	unknown (where first YES/NO value means if related sources built).