A recent Linux kernel vulnerability that affects the "media: v4l2-mem2mem" module was discovered and has been assigned the identifier CVE-2024-27077. We'll be discussing this vulnerability in detail - how it affects the kernel, which versions are impacted, and the solutions that have been implemented to fix it.
What is media:v4l2-mem2mem?
The v4l2-mem2mem module is part of the Video4Linux 2 (V4L2) framework, a collection of device drivers and APIs that provide support for various video capture, output, and processing operations. The mem2mem (memory-to-memory) submodule specifically deals with memory management aspects of video data transfer between devices, without involving direct user involvement.
The Vulnerability
In the Linux kernel, a memory leak vulnerability was identified in the v4l2-m2m_register_entity function of the media:v4l2-mem2mem module. The entity->name (i.e., name) is allocated in this function but isn't properly freed in its subsequent error-handling paths, leading to a memory leak.
Here's the original code snippet illustrating the problem
int v4l2_m2m_register_entity(struct v4l2_m2m_dev *m2m_dev,
const char *name,
enum v4l2_m2m_entity_type type)
{
struct v4l2_m2m_entity *entity;
int ret;
entity = kzalloc(sizeof(*entity), GFP_KERNEL);
if (!entity)
return -ENOMEM;
entity->node = device_create(v4l2_m2m_class, m2m_dev->v4l2_dev->dev,
m2m_dev->ess_id, entity, "%s", name);
if (IS_ERR(entity->node)) {
ret = PTR_ERR(entity->node);
goto err_free_entity;
}
entity->name = kstrdup(name, GFP_KERNEL);
if (!entity->name) {
ret = -ENOMEM;
goto err_delete_node;
}
...
return ;
err_delete_node:
device_destroy(v4l2_m2m_class, entity->node->devt);
err_free_entity:
kfree(entity);
return ret;
}
In this snippet, you can observe that the entity->name is allocated memory using the kstrdup() function. While the function has error-handling paths for entity and entity->node, it lacks a proper deallocation routine for the entity->name allocation in case of an error.
The Fix
To resolve this vulnerability, kernel developers have introduced a patch that adds the necessary deallocation step for entity->name. Here's the updated code snippet:
...
if (!entity->name) {
ret = -ENOMEM;
goto err_destroy_node;
}
...
return ;
err_destroy_node:
device_destroy(v4l2_m2m_class, entity->node->devt);
err_free_entity:
kfree(entity->name);
kfree(entity);
return ret;
}
As seen in the updated code snippet, the patch modifies the error-handling paths to incorporate kfree(entity->name) before deallocating entity. This ensures that the memory leak vulnerability is mitigated.
Original References
- Linux Kernel Mailing List (LKML) patch submission
- CVE-2024-27077 Record
Exploit Details and Affected Versions
The memory leak vulnerability in the v4l2-mem2mem module primarily affects Linux kernel versions up to and including 5.15. Linux distributions that rely on these kernel versions are susceptible and must incorporate the related patch.
Please update your kernel or distribution to their latest versions to ensure this vulnerability is effectively mitigated.
Timeline
Published on: 05/01/2024 13:15:51 UTC
Last modified on: 06/27/2024 12:15:24 UTC