cve-2024-35932
Vulnerability from cvelistv5
Published
2024-05-19 10:10
Modified
2024-11-05 09:25
Severity ?
Summary
drm/vc4: don't check if plane->state->fb == state->fb
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35932",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:38:26.855561Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:40:48.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.974Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vc4/vc4_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "48bfb4b03c5f",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "d6b2fe2db1d0",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "5343f724c912",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "5ee0d47dcf33",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vc4/vc4_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: don\u0027t check if plane-\u003estate-\u003efb == state-\u003efb\n\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\n\n[  110.908514] ------------[ cut here ]------------\n[  110.908529] refcount_t: underflow; use-after-free.\n[  110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[  110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[  110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G         C         6.1.66-v8+ #32\n[  110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[  110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[  110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[  110.909170] sp : ffffffc00913b9c0\n[  110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[  110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[  110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[  110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[  110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[  110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[  110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[  110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[  110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[  110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[  110.909434] Call trace:\n[  110.909441]  refcount_dec_not_one+0xb8/0xc0\n[  110.909461]  vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[  110.909903]  vc4_cleanup_fb+0x44/0x50 [vc4]\n[  110.910315]  drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[  110.910669]  vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[  110.911079]  commit_tail+0xb0/0x164 [drm_kms_helper]\n[  110.911397]  drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[  110.911716]  drm_atomic_commit+0xb0/0xdc [drm]\n[  110.912569]  drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[  110.913330]  drm_ioctl_kernel+0xec/0x15c [drm]\n[  110.914091]  drm_ioctl+0x24c/0x3b0 [drm]\n[  110.914850]  __arm64_sys_ioctl+0x9c/0xd4\n[  110.914873]  invoke_syscall+0x4c/0x114\n[  110.914897]  el0_svc_common+0xd0/0x118\n[  110.914917]  do_el0_svc+0x38/0xd0\n[  110.914936]  el0_svc+0x30/0x8c\n[  110.914958]  el0t_64_sync_handler+0x84/0xf0\n[  110.914979]  el0t_64_sync+0x18c/0x190\n[  110.914996] ---[ end trace 0000000000000000 ]---\n\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane-\u003estate-\u003efb == state-\u003efb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don\u0027t decrease it in `cleanup_fb`. The\nopposite can also be true.\n\nIn fact, the struct drm_plane .state shouldn\u0027t be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:25:15.619Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9"
        }
      ],
      "title": "drm/vc4: don\u0027t check if plane-\u003estate-\u003efb == state-\u003efb",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35932",
    "datePublished": "2024-05-19T10:10:40.353Z",
    "dateReserved": "2024-05-17T13:50:33.130Z",
    "dateUpdated": "2024-11-05T09:25:15.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35932\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-19T11:15:49.203\",\"lastModified\":\"2024-05-20T13:00:04.957\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vc4: don\u0027t check if plane-\u003estate-\u003efb == state-\u003efb\\n\\nCurrently, when using non-blocking commits, we can see the following\\nkernel warning:\\n\\n[  110.908514] ------------[ cut here ]------------\\n[  110.908529] refcount_t: underflow; use-after-free.\\n[  110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\\n[  110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\\n[  110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G         C         6.1.66-v8+ #32\\n[  110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\\n[  110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[  110.909132] pc : refcount_dec_not_one+0xb8/0xc0\\n[  110.909152] lr : refcount_dec_not_one+0xb4/0xc0\\n[  110.909170] sp : ffffffc00913b9c0\\n[  110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\\n[  110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\\n[  110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\\n[  110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\\n[  110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\\n[  110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\\n[  110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\\n[  110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\\n[  110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\\n[  110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\\n[  110.909434] Call trace:\\n[  110.909441]  refcount_dec_not_one+0xb8/0xc0\\n[  110.909461]  vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\\n[  110.909903]  vc4_cleanup_fb+0x44/0x50 [vc4]\\n[  110.910315]  drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\\n[  110.910669]  vc4_atomic_commit_tail+0x390/0x9dc [vc4]\\n[  110.911079]  commit_tail+0xb0/0x164 [drm_kms_helper]\\n[  110.911397]  drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\\n[  110.911716]  drm_atomic_commit+0xb0/0xdc [drm]\\n[  110.912569]  drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\\n[  110.913330]  drm_ioctl_kernel+0xec/0x15c [drm]\\n[  110.914091]  drm_ioctl+0x24c/0x3b0 [drm]\\n[  110.914850]  __arm64_sys_ioctl+0x9c/0xd4\\n[  110.914873]  invoke_syscall+0x4c/0x114\\n[  110.914897]  el0_svc_common+0xd0/0x118\\n[  110.914917]  do_el0_svc+0x38/0xd0\\n[  110.914936]  el0_svc+0x30/0x8c\\n[  110.914958]  el0t_64_sync_handler+0x84/0xf0\\n[  110.914979]  el0t_64_sync+0x18c/0x190\\n[  110.914996] ---[ end trace 0000000000000000 ]---\\n\\nThis happens because, although `prepare_fb` and `cleanup_fb` are\\nperfectly balanced, we cannot guarantee consistency in the check\\nplane-\u003estate-\u003efb == state-\u003efb. This means that sometimes we can increase\\nthe refcount in `prepare_fb` and don\u0027t decrease it in `cleanup_fb`. The\\nopposite can also be true.\\n\\nIn fact, the struct drm_plane .state shouldn\u0027t be accessed directly\\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\\nbe used. So, we could stick to this check, but using\\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vc4: no comprobar si plano-\u0026gt;estado-\u0026gt;fb == estado-\u0026gt;fb Actualmente, al usar confirmaciones sin bloqueo, podemos ver la siguiente advertencia del kernel : [110.908514] ------------[ cortar aqu\u00ed ]------------ [ 110.908529] refcount_t: subdesbordamiento; uso despu\u00e9s de la liberaci\u00f3n. [110.908620] ADVERTENCIA: CPU: 0 PID: 1866 en lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0 [110.908664] M\u00f3dulos vinculados en: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes _arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm 2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) 2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks retroiluminaci\u00f3n ip_tables x_tables ipv6 [110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Contaminado: GC 6.1.66 -v8+ #32 [110.909104] Nombre del hardware: Frambuesa Pi 3 Modelo B Rev 1.2 (DT) [ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0 [ 110.909152] lr : refcount_dec_not_one + 0xb4/0xc0 [ 110.909170] sp : ffffffc00913b9c0 [ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60 [ 110.909205 ] x26: 0000000000000002 x25: 00000000000000004 x24: ffffff8004448480 [ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: [110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000 [ 110.909283] x17: 00000000000000011 x16: ffffffffffffffff x15: 0000000000000004 [ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003 [ 110.909333] x11: 0000000000000000 x10: 00000000000000027 x9: c912d0d083728c00 [110.909359] x8: c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572 [ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 00000000000000000 [ 110.909409] x2 : 00000000000 x1: ffffffc00913b750 x0: 0000000000000001 [110.909434] Rastreo de llamadas: [110.909441] refcount_dec_not_one+0xb8/0xc0 [110.909461] / 0x1b0 [vc4] [ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4] [ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper] [ 110.910669] 0/0x9dc [vc4] [110.911079] commit_tail+0xb0/0x164 [drm_kms_helper] [110.911397 ] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper] [ 110.911716] drm_atomic_commit+0xb0/0xdc [drm] [ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm] [ 110.913330 ] drm_ioctl_kernel+0xec/0x15c [drm] [ 110.914091] drm_ioctl+0x24c/0x3b0 [drm] [ 110.914850] __arm64_sys_ioctl+0x9c/0xd4 [ 110.914873] invoke_syscall+0x4c/0x114 [ 110.914897] el0_svc_common+0xd0/0x118 [ 110.914917] svc+0x38/0xd0 [ 110.914936] el0_svc+0x30/0x8c [ 110.914958] el0t_64_sync_handler+0x84/ 0xf0 [ 110.914979] el0t_64_sync+0x18c/0x190 [ 110.914996] ---[ end trace 0000000000000000 ]--- Esto sucede porque, aunque `prepare_fb` y `cleanup_fb` est\u00e1n perfectamente equilibrados, no podemos garantizar la coherencia en el plano de verificaci\u00f3n-\u0026gt;estado -\u0026gt;fb == estado-\u0026gt;fb. Esto significa que a veces podemos aumentar el recuento en `prepare_fb` y no disminuirlo en `cleanup_fb`. Lo contrario tambi\u00e9n puede ser cierto. De hecho, no se debe acceder directamente a la estructura drm_plane .state, sino que se debe utilizar la funci\u00f3n auxiliar `drm_atomic_get_new_plane_state()`. Entonces, podr\u00edamos ce\u00f1irnos a esta verificaci\u00f3n, pero usando `drm_atomic_get_new_plane_state()`. Pero en realidad, esta verificaci\u00f3n no se re---trunca---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.