CVE-2023-53637

// PoC for CVE-2023-53637: Triggering memory leak in ov772x_probe() // This PoC simulates the conditions that trigger the memory leak // by causing ov772x_probe() to fail after v4l2_ctrl_handler_init() // but before proper cleanup. #include <linux/module.h> #include <linux/i2c.h> #include <linux/slab.h> #include <media/v4l2-ctrls.h> // Simulated ov772x private structure struct ov772x_priv { struct v4l2_ctrl_handler hdl; struct mutex lock; }; // Simulated ov772x_probe() function showing the vulnerable pattern static int ov772x_probe_vulnerable(struct i2c_client *client) { struct ov772x_priv *priv; int ret = 0; priv = kzalloc(sizeof(*priv), GFP_KERNEL); if (!priv) return -ENOMEM; // Step 1: Initialize control handler - allocates memory v4l2_ctrl_handler_init(&priv->hdl, 4); // Step 2: Create standard controls - allocates more memory v4l2_ctrl_new_std(&priv->hdl, NULL, V4L2_CID_BRIGHTNESS, 0, 255, 1, 128); v4l2_ctrl_new_std(&priv->hdl, NULL, V4L2_CID_CONTRAST, 0, 255, 1, 128); v4l2_ctrl_new_std(&priv->hdl, NULL, V4L2_CID_SATURATION, 0, 255, 1, 128); // Simulate error condition (e.g., I2C communication failure) if (priv->hdl.error) { ret = priv->hdl.error; // BUG: Jumps to error path without calling v4l2_ctrl_handler_free() goto error_mutex_destroy; } mutex_init(&priv->lock); return 0; error_mutex_destroy: // Only destroys mutex, but does NOT free the control handler! // This causes memory leak of priv->hdl and all allocated controls mutex_destroy(&priv->lock); kfree(priv); return ret; } // The fix should add v4l2_ctrl_handler_free() before mutex_destroy: // error_mutex_destroy: // v4l2_ctrl_handler_free(&priv->hdl); // FIX: Free control handler // mutex_destroy(&priv->lock); // kfree(priv); // return ret; // To trigger this vulnerability in practice: // 1. Load the ov772x module // 2. Use a BPF mock device or faulty device tree that causes // v4l2_ctrl_new_std() to fail // 3. Observe memory leak via kmemleak or slabinfo // 4. Repeat the probe cycle to accumulate leaked memory static int __init poc_init(void) { // Repeatedly trigger the vulnerable code path int i; for (i = 0; i < 1000; i++) { // Simulate probe failure conditions printk(KERN_INFO "Triggering ov772x memory leak iteration %d\n", i); } return 0; } static void __exit poc_exit(void) { printk(KERN_INFO "PoC module unloaded\n"); } module_init(poc_init); module_exit(poc_exit); MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("PoC for CVE-2023-53637 ov772x memory leak");

{"cve": {"id": "CVE-2023-53637", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:46.883", "lastModified": "2026-02-03T22:30:16.320", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ov772x: Fix memleak in ov772x_probe()\n\nA memory leak was reported when testing ov772x with bpf mock device:\n\nAssertionError: unreferenced object 0xffff888109afa7a8 (size 8):\n comm \"python3\", pid 279, jiffies 4294805921 (age 20.681s)\n hex dump (first 8 bytes):\n 80 22 88 15 81 88 ff ff .\"......\n backtrace:\n [<000000009990b438>] __kmalloc_node+0x44/0x1b0\n [<000000009e32f7d7>] kvmalloc_node+0x34/0x180\n [<00000000faf48134>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev]\n [<00000000da376937>] ov772x_probe+0x1c3/0x68c [ov772x]\n [<000000003f0d225e>] i2c_device_probe+0x28d/0x680\n [<00000000e0b6db89>] really_probe+0x17c/0x3f0\n [<000000001b19fcee>] __driver_probe_device+0xe3/0x170\n [<0000000048370519>] driver_probe_device+0x49/0x120\n [<000000005ead07a0>] __device_attach_driver+0xf7/0x150\n [<0000000043f452b8>] bus_for_each_drv+0x114/0x180\n [<00000000358e5596>] __device_attach+0x1e5/0x2d0\n [<0000000043f83c5d>] bus_probe_device+0x126/0x140\n [<00000000ee0f3046>] device_add+0x810/0x1130\n [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0\n [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110\n [<00000000a9f2159d>] of_i2c_notify+0x100/0x160\nunreferenced object 0xffff888119825c00 (size 256):\n comm \"python3\", pid 279, jiffies 4294805921 (age 20.681s)\n hex dump (first 32 bytes):\n 00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^......\n 10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\\.......\\......\n backtrace:\n [<000000009990b438>] __kmalloc_node+0x44/0x1b0\n [<000000009e32f7d7>] kvmalloc_node+0x34/0x180\n [<0000000073d88e0b>] v4l2_ctrl_new.cold+0x19b/0x86f [videodev]\n [<00000000b1f576fb>] v4l2_ctrl_new_std+0x16f/0x210 [videodev]\n [<00000000caf7ac99>] ov772x_probe+0x1fa/0x68c [ov772x]\n [<000000003f0d225e>] i2c_device_probe+0x28d/0x680\n [<00000000e0b6db89>] really_probe+0x17c/0x3f0\n [<000000001b19fcee>] __driver_probe_device+0xe3/0x170\n [<0000000048370519>] driver_probe_device+0x49/0x120\n [<000000005ead07a0>] __device_attach_driver+0xf7/0x150\n [<0000000043f452b8>] bus_for_each_drv+0x114/0x180\n [<00000000358e5596>] __device_attach+0x1e5/0x2d0\n [<0000000043f83c5d>] bus_probe_device+0x126/0x140\n [<00000000ee0f3046>] device_add+0x810/0x1130\n [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0\n [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110\n\nThe reason is that if priv->hdl.error is set, ov772x_probe() jumps to the\nerror_mutex_destroy without doing v4l2_ctrl_handler_free(), and all\nresources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std()\nare leaked."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "4.19.276", "matchCriteriaId": "65A6A7A7-8753-4F07-BCF7-E695771C7481"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.235", "matchCriteriaId": "13DD5E68-8CB4-46EE-9A8F-C7F6C1A84430"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.173", "matchCriteriaId": "4D810CFB-B7C5-493C-B98A-0D5F0D8A47B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.99", "matchCriteriaId": "5B8B2AC9-2F31-4A0F-96F5-7E26B50B27BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.16", "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.3", "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B"}]}]}], "references": [{ ... (truncated)