CVE-2023-28577 Information

Description

In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address.

Reference

https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin