Re: [PATCH] media: meson: vdec: fix use-after-free of prev_frame in codec_vp9_rm_noshow_frame()
From: Dan Carpenter
Date: Fri Jun 26 2026 - 13:29:30 EST
On Fri, Jun 26, 2026 at 06:40:25PM +0200, Doruk Tan Ozturk wrote:
> codec_vp9_rm_noshow_frame() frees the first non-shown reference frame on
> ref_frames_list without excluding vp9->prev_frame. When the previously
> decoded frame was a non-show (alt-ref) frame and the current frame is a
> non-show inter frame, the freed object is the one vp9->prev_frame still
> points to; codec_vp9_set_mpred_mv() then dereferences the stale pointer
> (use_prev_frame_mvs and codec_vp9_get_frame_mv_paddr()), a use-after-free.
>
> The sibling cleanup codec_vp9_show_frame() already guards this pointer
> (tmp == vp9->prev_frame); rm_noshow_frame() simply omits the same check.
> Add it.
>
> The fields that drive this path (show_frame, frame_type, intra_only) are
> parsed from the VP9 bitstream, so a crafted stream fed to the stateless
> decoder can trigger the free-then-use.
>
> Found by static analysis; not yet runtime-reproduced (Amlogic Meson
> hardware required).
>
> Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
>
> Signed-off-by: Doruk Tan Ozturk <doruk@xxxxxxx>
> ---
> drivers/staging/media/meson/vdec/codec_vp9.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/drivers/staging/media/meson/vdec/codec_vp9.c b/drivers/staging/media/meson/vdec/codec_vp9.c
> index 8e80ecf84..572f418c9 100644
> --- a/drivers/staging/media/meson/vdec/codec_vp9.c
> +++ b/drivers/staging/media/meson/vdec/codec_vp9.c
> @@ -1247,6 +1247,15 @@ static void codec_vp9_rm_noshow_frame(struct amvdec_session *sess)
> if (tmp->show)
> continue;
>
> + /*
> + * prev_frame is still referenced by the MV predictor in
> + * codec_vp9_set_mpred_mv(); the sibling codec_vp9_show_frame()
> + * already excludes it before freeing. Do the same here to avoid
> + * a use-after-free of vp9->prev_frame.
> + */
> + if (tmp == vp9->prev_frame)
> + continue;
I have not looked at this code before so I'm speaking from a position
of ignorance but codec_vp9_show_frame() checks vp9->cur_frame as well.
Shouldn't we check that here as well?
regards,
dan carpenter