In the Linux kernel, the following vulnerability has been resolved:
media: rkisp1: Fix IRQ disable race issue
In rkisp1ispstop() and rkisp1csidisable() the driver masks the interrupts and then apparently assumes that the interrupt handler won't be running, and proceeds in the stop procedure. This is not the case, as the interrupt handler can already be running, which would lead to the ISP being disabled while the interrupt handler handling a captured frame.
This brings up two issues: 1) the ISP could be powered off while the interrupt handler is still running and accessing registers, leading to board lockup, and 2) the interrupt handler code and the code that disables the streaming might do things that conflict.
It is not clear to me if 2) causes a real issue, but 1) can be seen with a suitable delay (or printk in my case) in the interrupt handler, leading to board lockup.
{ "vanir_signatures": [ { "signature_type": "Line", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-isp.c" }, "id": "CVE-2023-52589-0f13a176", "digest": { "threshold": 0.9, "line_hashes": [ "177721362960620369018162299729233540365", "203483537276245121344917475709853730520", "319784915687324602953726339978750845598", "290105242840050368777748766467311787444", "264073871450358868387452775550896057767", "301240415261358878918123121314330007866" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fab483438342984f2a315fe13c882a80f0f7e545", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-isp.c" }, "id": "CVE-2023-52589-336b22dd", "digest": { "threshold": 0.9, "line_hashes": [ "177721362960620369018162299729233540365", "203483537276245121344917475709853730520", "319784915687324602953726339978750845598", "290105242840050368777748766467311787444", "264073871450358868387452775550896057767", "301240415261358878918123121314330007866" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-csi.c", "function": "rkisp1_csi_disable" }, "id": "CVE-2023-52589-47b9da7c", "digest": { "length": 311.0, "function_hash": "108844277386329356968997437002033848874" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-csi.c" }, "id": "CVE-2023-52589-4ad4b008", "digest": { "threshold": 0.9, "line_hashes": [ "245320435324680237686765549355808320646", "475400164750730695561074471270619128", "9901591121588034346665751637037154463", "83535236132158540406605666030476326084" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fab483438342984f2a315fe13c882a80f0f7e545", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-csi.c" }, "id": "CVE-2023-52589-5180bba4", "digest": { "threshold": 0.9, "line_hashes": [ "245320435324680237686765549355808320646", "475400164750730695561074471270619128", "9901591121588034346665751637037154463", "83535236132158540406605666030476326084" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-isp.c", "function": "rkisp1_isp_stop" }, "id": "CVE-2023-52589-84907bd2", "digest": { "length": 826.0, "function_hash": "55342049372149929432857784575134587169" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-csi.c", "function": "rkisp1_csi_disable" }, "id": "CVE-2023-52589-9f4c22e2", "digest": { "length": 311.0, "function_hash": "108844277386329356968997437002033848874" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf808f58681cab64c81cd814551814fd34e540fe", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-csi.c" }, "id": "CVE-2023-52589-b5bd02e7", "digest": { "threshold": 0.9, "line_hashes": [ "245320435324680237686765549355808320646", "475400164750730695561074471270619128", "9901591121588034346665751637037154463", "83535236132158540406605666030476326084" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@870565f063a58576e8a4529f122cac4325c6b395", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-csi.c" }, "id": "CVE-2023-52589-b6805db0", "digest": { "threshold": 0.9, "line_hashes": [ "245320435324680237686765549355808320646", "475400164750730695561074471270619128", "9901591121588034346665751637037154463", "83535236132158540406605666030476326084" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf808f58681cab64c81cd814551814fd34e540fe", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-isp.c", "function": "rkisp1_isp_stop" }, "id": "CVE-2023-52589-b715f8cc", "digest": { "length": 826.0, "function_hash": "55342049372149929432857784575134587169" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf808f58681cab64c81cd814551814fd34e540fe", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-csi.c", "function": "rkisp1_csi_disable" }, "id": "CVE-2023-52589-de85ee9e", "digest": { "length": 311.0, "function_hash": "108844277386329356968997437002033848874" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@870565f063a58576e8a4529f122cac4325c6b395", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-csi.c", "function": "rkisp1_csi_disable" }, "id": "CVE-2023-52589-e4553e74", "digest": { "length": 311.0, "function_hash": "108844277386329356968997437002033848874" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fab483438342984f2a315fe13c882a80f0f7e545", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-isp.c" }, "id": "CVE-2023-52589-f0e6cfeb", "digest": { "threshold": 0.9, "line_hashes": [ "177721362960620369018162299729233540365", "203483537276245121344917475709853730520", "319784915687324602953726339978750845598", "290105242840050368777748766467311787444", "264073871450358868387452775550896057767", "301240415261358878918123121314330007866" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@870565f063a58576e8a4529f122cac4325c6b395", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-isp.c", "function": "rkisp1_isp_stop" }, "id": "CVE-2023-52589-f1cdd697", "digest": { "length": 826.0, "function_hash": "55342049372149929432857784575134587169" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@870565f063a58576e8a4529f122cac4325c6b395", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-isp.c" }, "id": "CVE-2023-52589-f9b70cfe", "digest": { "threshold": 0.9, "line_hashes": [ "177721362960620369018162299729233540365", "203483537276245121344917475709853730520", "319784915687324602953726339978750845598", "290105242840050368777748766467311787444", "264073871450358868387452775550896057767", "301240415261358878918123121314330007866" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf808f58681cab64c81cd814551814fd34e540fe", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/media/platform/rockchip/rkisp1/rkisp1-isp.c", "function": "rkisp1_isp_stop" }, "id": "CVE-2023-52589-fc3cba48", "digest": { "length": 826.0, "function_hash": "55342049372149929432857784575134587169" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fab483438342984f2a315fe13c882a80f0f7e545", "deprecated": false, "signature_version": "v1" } ] }