CVE-2023-54147

Vulnerability

Analysis

In the Linux kernel's MediaTek MDP3 driver (mtk-mdp3), the function ida_alloc is used to allocate a unique ID for a context. The original code did not check the return value of ida_alloc. If the allocation fails (e.g., due to exhaustion of IDs), the function returns a negative error code, but the driver would use this value as a valid ID without validation. This missing check could lead to a NULL pointer dereference or other undefined behavior when the invalid ID is later used as an index or pointer [1][1].

Exploitation

An attacker would need local to the system could trigger this vulnerability by repeatedly opening the MDP3 device node via the m2m (memory-to-memory) interface, exhausting the IDA pool. Once ida_alloc fails, the driver would proceed with an invalid ID, potentially causing a kernel crash (denial of service) or, in some configurations, memory corruption. No special privileges beyond access to the video device are required, as the MDP3 device is typically accessible to unprivileged users through the V4L2 interface.

Impact

Successful exploitation results in a denial of service (kernel panic or oops) due to the NULL pointer dereference. Additionally, the patch fixes a memory leak: if mdp_m2m_open fails after allocating the ID, the allocated ID was not freed, leading to resource exhaustion over time. The combined effect is system instability and potential unavailability of the MDP3 hardware.

Mitigation

The fix was applied to the Linux kernel stable trees via commits [1] and [2]. Users should update their kernel to a version containing these commits. No workaround is available; the vulnerability is resolved only by applying the patch.