Description
In the Linux kernel, the following vulnerability has been resolved: ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection() Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() with a subdev state of NULL leads to a NULL pointer dereference. This can currently happen in imgu_subdev_set_selection() when the state passed in is NULL, as this method first gets pointers to both the "try" and "active" states and only then decides which to use. The same issue has been addressed for imgu_subdev_get_selection() with commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active selection access"). However the issue still persists in imgu_subdev_set_selection(). Therefore, apply a similar fix as done in the aforementioned commit to imgu_subdev_set_selection(). To keep things a bit cleaner, introduce helper functions for "crop" and "compose" access and use them in both imgu_subdev_set_selection() and imgu_subdev_get_selection().
Product status
0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 (git) before fa6bbb4894b9b947063c6ff90018a954c5f9f4b3
0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 (git) before 611d617bdb6c5d636a9861ec1c98e813fc8a5556
0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 (git) before 5038ee677606106c91564f9c4557d808d14bad70
0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 (git) before dc608edf7d45ba0c2ad14c06eccd66474fec7847
5.14
Any version before 5.14
5.15.87 (semver)
6.0.18 (semver)
6.1.4 (semver)
6.2 (original_commit_for_fix)
References
git.kernel.org/...c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3
git.kernel.org/...c/611d617bdb6c5d636a9861ec1c98e813fc8a5556
git.kernel.org/...c/5038ee677606106c91564f9c4557d808d14bad70
git.kernel.org/...c/dc608edf7d45ba0c2ad14c06eccd66474fec7847
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
