ACK: [SRU][F][PATCH v2 0/3] CVE-2024-23848

Tim Whisonant tim.whisonant at canonical.com
Thu Jan 23 18:14:54 UTC 2025 

On Mon, Jan 13, 2025 at 11:10:54AM -0600, Jacob Martin wrote:
> [Impact]
> 
> A use-after-free vulnerability in the Linux kernel's HDMI CEC framework could
> potentially lead to denial of service or arbitrary code execution. This is
> resolved by a series of patches that improve the status tracking of CEC data
> transmission and use proper locking where necessary.
> 
> [Fix]
> 
> The following upstream patches are sufficient to resolve this issue:
> 9fe2816816a3 ("media: cec: cec-adap: always cancel work in cec_transmit_msg_fh")
> 42bcaacae924 ("media: cec: cec-api: add locking in cec_release()")
> 47c82aac10a6 ("media: cec: core: avoid recursive cec_claim_log_addrs")
> cbe499977bc3 ("media: cec: core: avoid confusing "transmit timed out" message")
> 
> The contents of upstream commits 9fe2816816a3 and 42bcaacae924 are already
> present in Focal via stable updates.
> 
> Noble: Fix released
> Jammy: Fix released
> Focal: Backport from mainline
> Bionic: Patch sent to ESM list
> Xenial: Not affected
> Trusty: Not affected
> 
> [Test Case]
> 
> Compile tested.
> 
> [Where issues could occur]
> 
> These changes affect the kernel's HDMI-CEC framework. Issues with this fix
> would manifest as issues with drivers using this framework, which could result
> in HDMI display output issues or issues with CEC communication.
> 
> v2:
> - Fix "media: cec: abort if the current transmit was canceled" backport to
> include these lines
> ```
> 	if (adap->transmitting)
> 		cec_data_cancel(adap->transmitting, CEC_TX_STATUS_ABORTED);
> ```
> in __cec_s_phys_addr.
> - Match upstream, only set `adap->transmit_in_progress_aborted = false;` in the
> de-init case of __cec_s_phys_addr.
> 
> Hans Verkuil (3):
>   media: cec: abort if the current transmit was canceled
>   media: cec: core: avoid recursive cec_claim_log_addrs
>   media: cec: core: avoid confusing "transmit timed out" message
> 
>  drivers/media/cec/cec-adap.c | 35 ++++++++++++++++++++++++++++++-----
>  drivers/media/cec/cec-api.c  |  2 +-
>  include/media/cec.h          |  2 ++
>  3 files changed, 33 insertions(+), 6 deletions(-)
> 
> -- 
> 2.43.0
> 

Acked-by: Tim Whisonant <tim.whisonant at canonical.com>

More information about the kernel-team mailing list