CVE-2024-26657
Vulnerability from cvelistv5
Published
2024-04-02 06:08
Modified
2024-12-19 08:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/sched: fix null-ptr-deref in init entity The bug can be triggered by sending an amdgpu_cs_wait_ioctl to the AMDGPU DRM driver on any ASICs with valid context. The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>. For example the following code: static void Syzkaller2(int fd) { union drm_amdgpu_ctx arg1; union drm_amdgpu_wait_cs arg2; arg1.in.op = AMDGPU_CTX_OP_ALLOC_CTX; ret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, &arg1); arg2.in.handle = 0x0; arg2.in.timeout = 0x2000000000000; arg2.in.ip_type = AMD_IP_VPE /* 0x9 */; arg2->in.ip_instance = 0x0; arg2.in.ring = 0x0; arg2.in.ctx_id = arg1.out.alloc.ctx_id; drmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, &arg2); } The ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that the error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa modified the logic and allowed to have sched_rq equal to NULL. As a result when there is no job the ioctl AMDGPU_WAIT_CS returns success. The change fixes null-ptr-deref in init entity and the stack below demonstrates the error condition: [ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ +0.007086] #PF: supervisor read access in kernel mode [ +0.005234] #PF: error_code(0x0000) - not-present page [ +0.005232] PGD 0 P4D 0 [ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G B W L 6.7.0+ #4 [ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c [ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282 [ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa [ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0 [ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c [ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010 [ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000 [ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000 [ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0 [ +0.007175] Call Trace: [ +0.002561] <TASK> [ +0.002141] ? show_regs+0x6a/0x80 [ +0.003473] ? __die+0x25/0x70 [ +0.003124] ? page_fault_oops+0x214/0x720 [ +0.004179] ? preempt_count_sub+0x18/0xc0 [ +0.004093] ? __pfx_page_fault_oops+0x10/0x10 [ +0.004590] ? srso_return_thunk+0x5/0x5f [ +0.004000] ? vprintk_default+0x1d/0x30 [ +0.004063] ? srso_return_thunk+0x5/0x5f [ +0.004087] ? vprintk+0x5c/0x90 [ +0.003296] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005807] ? srso_return_thunk+0x5/0x5f [ +0.004090] ? _printk+0xb3/0xe0 [ +0.003293] ? __pfx__printk+0x10/0x10 [ +0.003735] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.005482] ? do_user_addr_fault+0x345/0x770 [ +0.004361] ? exc_page_fault+0x64/0xf0 [ +0.003972] ? asm_exc_page_fault+0x27/0x30 [ +0.004271] ? add_taint+0x2a/0xa0 [ +0.003476] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005812] amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu] [ +0.009530] ? finish_task_switch.isra.0+0x129/0x470 [ +0.005068] ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu] [ +0.010063] ? __kasan_check_write+0x14/0x20 [ +0.004356] ? srso_return_thunk+0x5/0x5f [ +0.004001] ? mutex_unlock+0x81/0xd0 [ +0.003802] ? srso_return_thunk+0x5/0x5f [ +0.004096] amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu] [ +0.009355] ? __pfx_ ---truncated---
Impacted products
Vendor Product Version
Linux Linux Version: 6.7
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:12.434Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/74cd204c7afe498aa9dcc3ebf0ecac53d477a429"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/54b5b7275dfdec35812ccce70930cd7c4ee612b2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f34e8bb7d6c6626933fe993e03ed59ae85e16abb"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26657",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:53:53.048412Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:40.914Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/scheduler/sched_entity.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "74cd204c7afe498aa9dcc3ebf0ecac53d477a429",
              "status": "affected",
              "version": "56e449603f0ac580700621a356d35d5716a62ce5",
              "versionType": "git"
            },
            {
              "lessThan": "54b5b7275dfdec35812ccce70930cd7c4ee612b2",
              "status": "affected",
              "version": "56e449603f0ac580700621a356d35d5716a62ce5",
              "versionType": "git"
            },
            {
              "lessThan": "f34e8bb7d6c6626933fe993e03ed59ae85e16abb",
              "status": "affected",
              "version": "56e449603f0ac580700621a356d35d5716a62ce5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/scheduler/sched_entity.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: fix null-ptr-deref in init entity\n\nThe bug can be triggered by sending an amdgpu_cs_wait_ioctl\nto the AMDGPU DRM driver on any ASICs with valid context.\nThe bug was reported by Joonkyo Jung \u003cjoonkyoj@yonsei.ac.kr\u003e.\nFor example the following code:\n\n    static void Syzkaller2(int fd)\n    {\n\tunion drm_amdgpu_ctx arg1;\n\tunion drm_amdgpu_wait_cs arg2;\n\n\targ1.in.op = AMDGPU_CTX_OP_ALLOC_CTX;\n\tret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, \u0026arg1);\n\n\targ2.in.handle = 0x0;\n\targ2.in.timeout = 0x2000000000000;\n\targ2.in.ip_type = AMD_IP_VPE /* 0x9 */;\n\targ2-\u003ein.ip_instance = 0x0;\n\targ2.in.ring = 0x0;\n\targ2.in.ctx_id = arg1.out.alloc.ctx_id;\n\n\tdrmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, \u0026arg2);\n    }\n\nThe ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that\nthe error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa\nmodified the logic and allowed to have sched_rq equal to NULL.\n\nAs a result when there is no job the ioctl AMDGPU_WAIT_CS returns success.\nThe change fixes null-ptr-deref in init entity and the stack below demonstrates\nthe error condition:\n\n[  +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[  +0.007086] #PF: supervisor read access in kernel mode\n[  +0.005234] #PF: error_code(0x0000) - not-present page\n[  +0.005232] PGD 0 P4D 0\n[  +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[  +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G    B   W    L     6.7.0+ #4\n[  +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[  +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[  +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 \u003c48\u003e 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c\n[  +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282\n[  +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa\n[  +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0\n[  +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c\n[  +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010\n[  +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000\n[  +0.007264] FS:  00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000\n[  +0.008236] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0\n[  +0.007175] Call Trace:\n[  +0.002561]  \u003cTASK\u003e\n[  +0.002141]  ? show_regs+0x6a/0x80\n[  +0.003473]  ? __die+0x25/0x70\n[  +0.003124]  ? page_fault_oops+0x214/0x720\n[  +0.004179]  ? preempt_count_sub+0x18/0xc0\n[  +0.004093]  ? __pfx_page_fault_oops+0x10/0x10\n[  +0.004590]  ? srso_return_thunk+0x5/0x5f\n[  +0.004000]  ? vprintk_default+0x1d/0x30\n[  +0.004063]  ? srso_return_thunk+0x5/0x5f\n[  +0.004087]  ? vprintk+0x5c/0x90\n[  +0.003296]  ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[  +0.005807]  ? srso_return_thunk+0x5/0x5f\n[  +0.004090]  ? _printk+0xb3/0xe0\n[  +0.003293]  ? __pfx__printk+0x10/0x10\n[  +0.003735]  ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[  +0.005482]  ? do_user_addr_fault+0x345/0x770\n[  +0.004361]  ? exc_page_fault+0x64/0xf0\n[  +0.003972]  ? asm_exc_page_fault+0x27/0x30\n[  +0.004271]  ? add_taint+0x2a/0xa0\n[  +0.003476]  ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[  +0.005812]  amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu]\n[  +0.009530]  ? finish_task_switch.isra.0+0x129/0x470\n[  +0.005068]  ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu]\n[  +0.010063]  ? __kasan_check_write+0x14/0x20\n[  +0.004356]  ? srso_return_thunk+0x5/0x5f\n[  +0.004001]  ? mutex_unlock+0x81/0xd0\n[  +0.003802]  ? srso_return_thunk+0x5/0x5f\n[  +0.004096]  amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu]\n[  +0.009355]  ? __pfx_\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:44:26.970Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/74cd204c7afe498aa9dcc3ebf0ecac53d477a429"
        },
        {
          "url": "https://git.kernel.org/stable/c/54b5b7275dfdec35812ccce70930cd7c4ee612b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/f34e8bb7d6c6626933fe993e03ed59ae85e16abb"
        }
      ],
      "title": "drm/sched: fix null-ptr-deref in init entity",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26657",
    "datePublished": "2024-04-02T06:08:44.329Z",
    "dateReserved": "2024-02-19T14:20:24.145Z",
    "dateUpdated": "2024-12-19T08:44:26.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26657\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-02T07:15:42.830\",\"lastModified\":\"2024-11-21T09:02:46.837\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/sched: fix null-ptr-deref in init entity\\n\\nThe bug can be triggered by sending an amdgpu_cs_wait_ioctl\\nto the AMDGPU DRM driver on any ASICs with valid context.\\nThe bug was reported by Joonkyo Jung \u003cjoonkyoj@yonsei.ac.kr\u003e.\\nFor example the following code:\\n\\n    static void Syzkaller2(int fd)\\n    {\\n\\tunion drm_amdgpu_ctx arg1;\\n\\tunion drm_amdgpu_wait_cs arg2;\\n\\n\\targ1.in.op = AMDGPU_CTX_OP_ALLOC_CTX;\\n\\tret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, \u0026arg1);\\n\\n\\targ2.in.handle = 0x0;\\n\\targ2.in.timeout = 0x2000000000000;\\n\\targ2.in.ip_type = AMD_IP_VPE /* 0x9 */;\\n\\targ2-\u003ein.ip_instance = 0x0;\\n\\targ2.in.ring = 0x0;\\n\\targ2.in.ctx_id = arg1.out.alloc.ctx_id;\\n\\n\\tdrmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, \u0026arg2);\\n    }\\n\\nThe ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that\\nthe error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa\\nmodified the logic and allowed to have sched_rq equal to NULL.\\n\\nAs a result when there is no job the ioctl AMDGPU_WAIT_CS returns success.\\nThe change fixes null-ptr-deref in init entity and the stack below demonstrates\\nthe error condition:\\n\\n[  +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028\\n[  +0.007086] #PF: supervisor read access in kernel mode\\n[  +0.005234] #PF: error_code(0x0000) - not-present page\\n[  +0.005232] PGD 0 P4D 0\\n[  +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\\n[  +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G    B   W    L     6.7.0+ #4\\n[  +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\\n[  +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\\n[  +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 \u003c48\u003e 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c\\n[  +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282\\n[  +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa\\n[  +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0\\n[  +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c\\n[  +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010\\n[  +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000\\n[  +0.007264] FS:  00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000\\n[  +0.008236] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[  +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0\\n[  +0.007175] Call Trace:\\n[  +0.002561]  \u003cTASK\u003e\\n[  +0.002141]  ? show_regs+0x6a/0x80\\n[  +0.003473]  ? __die+0x25/0x70\\n[  +0.003124]  ? page_fault_oops+0x214/0x720\\n[  +0.004179]  ? preempt_count_sub+0x18/0xc0\\n[  +0.004093]  ? __pfx_page_fault_oops+0x10/0x10\\n[  +0.004590]  ? srso_return_thunk+0x5/0x5f\\n[  +0.004000]  ? vprintk_default+0x1d/0x30\\n[  +0.004063]  ? srso_return_thunk+0x5/0x5f\\n[  +0.004087]  ? vprintk+0x5c/0x90\\n[  +0.003296]  ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\\n[  +0.005807]  ? srso_return_thunk+0x5/0x5f\\n[  +0.004090]  ? _printk+0xb3/0xe0\\n[  +0.003293]  ? __pfx__printk+0x10/0x10\\n[  +0.003735]  ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\\n[  +0.005482]  ? do_user_addr_fault+0x345/0x770\\n[  +0.004361]  ? exc_page_fault+0x64/0xf0\\n[  +0.003972]  ? asm_exc_page_fault+0x27/0x30\\n[  +0.004271]  ? add_taint+0x2a/0xa0\\n[  +0.003476]  ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\\n[  +0.005812]  amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu]\\n[  +0.009530]  ? finish_task_switch.isra.0+0x129/0x470\\n[  +0.005068]  ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu]\\n[  +0.010063]  ? __kasan_check_write+0x14/0x20\\n[  +0.004356]  ? srso_return_thunk+0x5/0x5f\\n[  +0.004001]  ? mutex_unlock+0x81/0xd0\\n[  +0.003802]  ? srso_return_thunk+0x5/0x5f\\n[  +0.004096]  amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu]\\n[  +0.009355]  ? __pfx_\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm/sched: corrige null-ptr-deref en la entidad init. El error se puede activar enviando un amdgpu_cs_wait_ioctl al controlador DRM AMDGPU en cualquier ASIC con contexto v\u00e1lido. El error fue reportado por Joonkyo Jung . Por ejemplo, el siguiente c\u00f3digo: static void Syzkaller2(int fd) { union drm_amdgpu_ctx arg1; uni\u00f3n drm_amdgpu_wait_cs arg2; arg1.in.op = AMDGPU_CTX_OP_ALLOC_CTX; ret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, \u0026amp;arg1); arg2.in.handle = 0x0; arg2.in.timeout = 0x2000000000000; arg2.in.ip_type = AMD_IP_VPE /* 0x9 */; arg2-\u0026gt;in.ip_instance = 0x0; arg2.in.ring = 0x0; arg2.in.ctx_id = arg1.out.alloc.ctx_id; drmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, \u0026amp;arg2); } Se podr\u00eda suponer que el ioctl AMDGPU_WAIT_CS sin trabajo enviado previamente debe devolver el error, pero la siguiente confirmaci\u00f3n 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa modific\u00f3 la l\u00f3gica y permiti\u00f3 que sched_rq fuera igual a NULL. Como resultado, cuando no hay trabajo, ioctl AMDGPU_WAIT_CS devuelve \u00e9xito. El cambio corrige null-ptr-deref en la entidad init y la siguiente pila demuestra la condici\u00f3n de error: [+0.000007] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000028 [+0.007086] #PF: acceso de lectura del supervisor en modo kernel [+0.005234 ] #PF: error_code(0x0000) - p\u00e1gina no presente [ +0.005232] PGD 0 P4D 0 [ +0.002501] Ups: 0000 [#1] PREEMPT SMP KASAN NOPTI [ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted : GBWL 6.7.0+ #4 [ +0.007797] Nombre del hardware: Nombre del producto del sistema ASUS/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 03/12/2020 [ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3 /0x420 [gpu_sched] [ +0.006426] C\u00f3digo: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8 d 7b 28 e8 3d 80 82 e0 \u0026lt;48\u0026gt; 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c [ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282 [ +0. 005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX : ffffffff8113f3fa [ +0.007326] RDX: ffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0 [ +0.007264] RBP: ffffc90014c1fa80 R08: 00000000000000 01 R09: ffffbfff0a7889c [ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010 [ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000 [ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000 [ +0.00823 6] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4 : 0000000000350ef0 [ +0.007175] Seguimiento de llamadas: [ +0.002561]  [ +0.002141] ? show_regs+0x6a/0x80 [+0.003473]? __die+0x25/0x70 [ +0.003124] ? page_fault_oops+0x214/0x720 [+0.004179]? preempt_count_sub+0x18/0xc0 [+0.004093]? __pfx_page_fault_oops+0x10/0x10 [ +0.004590] ? srso_return_thunk+0x5/0x5f [+0.004000]? vprintk_default+0x1d/0x30 [+0.004063]? srso_return_thunk+0x5/0x5f [+0.004087]? vprintk+0x5c/0x90 [ +0.003296] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [+0.005807]? srso_return_thunk+0x5/0x5f [+0.004090]? _printk+0xb3/0xe0 [ +0.003293] ? __pfx__printk+0x10/0x10 [ +0.003735] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [+0.005482]? do_user_addr_fault+0x345/0x770 [ +0.004361] ? exc_page_fault+0x64/0xf0 [+0.003972]? asm_exc_page_fault+0x27/0x30 [+0.004271]? add_taint+0x2a/0xa0 [ +0.003476] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005812] amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu] [ +0.009530] ? terminar_task_switch.isra.0+0x129/0x470 [+0.005068]? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu] [ +0.010063] ? __kasan_check_write+0x14/0x20 [ +0.004356] ? srso_return_thunk+0x5/0x5f [+0.004001]? mutex_unlock+0x81/0xd0 [+0.003802]? srso_return_thunk+0x5/0x5f [ +0.004096] amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu] [ +0.009355] ? __pfx_ ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/54b5b7275dfdec35812ccce70930cd7c4ee612b2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/74cd204c7afe498aa9dcc3ebf0ecac53d477a429\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f34e8bb7d6c6626933fe993e03ed59ae85e16abb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/54b5b7275dfdec35812ccce70930cd7c4ee612b2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/74cd204c7afe498aa9dcc3ebf0ecac53d477a429\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f34e8bb7d6c6626933fe993e03ed59ae85e16abb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.