Linux Kernel Media Subsystem Iris Gen2 Session Stop Vulnerability

A vulnerability in the Linux kernel's media subsystem, specifically within the Iris Gen2 driver, has been addressed. The issue arose because the function 'iris_kill_session' would set the session state to 'IRIS_INST_ERROR' and close the session, freeing a packet associated with the session. If 'stop_streaming' was called afterward, it could lead to a crash. The vulnerability has been fixed by adding a NULL check for the packet before sending a STOP command to the firmware.

Impact

The vulnerability could lead to a crash by causing a use-after-free condition, where a freed memory area is accessed, potentially leading to undefined behavior or exploitation.

Reproduction

The vulnerability can be reproduced by initiating a session with the Iris Gen2 driver and then calling 'stop_streaming' after the session has been closed and the associated packet has been freed. This sequence of actions will trigger the crash by accessing the freed memory.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.