ghsa-fr3q-v98q-fwq5
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: fix null-ptr-deref in init entity
The bug can be triggered by sending an amdgpu_cs_wait_ioctl to the AMDGPU DRM driver on any ASICs with valid context. The bug was reported by Joonkyo Jung joonkyoj@yonsei.ac.kr. For example the following code:
static void Syzkaller2(int fd)
{
union drm_amdgpu_ctx arg1;
union drm_amdgpu_wait_cs arg2;
arg1.in.op = AMDGPU_CTX_OP_ALLOC_CTX;
ret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, &arg1);
arg2.in.handle = 0x0;
arg2.in.timeout = 0x2000000000000;
arg2.in.ip_type = AMD_IP_VPE /* 0x9 */;
arg2->in.ip_instance = 0x0;
arg2.in.ring = 0x0;
arg2.in.ctx_id = arg1.out.alloc.ctx_id;
drmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, &arg2);
}
The ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that the error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa modified the logic and allowed to have sched_rq equal to NULL.
As a result when there is no job the ioctl AMDGPU_WAIT_CS returns success. The change fixes null-ptr-deref in init entity and the stack below demonstrates the error condition:
[ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028
[ +0.007086] #PF: supervisor read access in kernel mode
[ +0.005234] #PF: error_code(0x0000) - not-present page
[ +0.005232] PGD 0 P4D 0
[ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G B W L 6.7.0+ #4
[ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020
[ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched]
[ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c
[ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282
[ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa
[ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0
[ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c
[ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010
[ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000
[ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000
[ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0
[ +0.007175] Call Trace:
[ +0.002561]
{
"affected": [],
"aliases": [
"CVE-2024-26657"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T07:15:42Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: fix null-ptr-deref in init entity\n\nThe bug can be triggered by sending an amdgpu_cs_wait_ioctl\nto the AMDGPU DRM driver on any ASICs with valid context.\nThe bug was reported by Joonkyo Jung \u003cjoonkyoj@yonsei.ac.kr\u003e.\nFor example the following code:\n\n static void Syzkaller2(int fd)\n {\n\tunion drm_amdgpu_ctx arg1;\n\tunion drm_amdgpu_wait_cs arg2;\n\n\targ1.in.op = AMDGPU_CTX_OP_ALLOC_CTX;\n\tret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, \u0026arg1);\n\n\targ2.in.handle = 0x0;\n\targ2.in.timeout = 0x2000000000000;\n\targ2.in.ip_type = AMD_IP_VPE /* 0x9 */;\n\targ2-\u003ein.ip_instance = 0x0;\n\targ2.in.ring = 0x0;\n\targ2.in.ctx_id = arg1.out.alloc.ctx_id;\n\n\tdrmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, \u0026arg2);\n }\n\nThe ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that\nthe error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa\nmodified the logic and allowed to have sched_rq equal to NULL.\n\nAs a result when there is no job the ioctl AMDGPU_WAIT_CS returns success.\nThe change fixes null-ptr-deref in init entity and the stack below demonstrates\nthe error condition:\n\n[ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[ +0.007086] #PF: supervisor read access in kernel mode\n[ +0.005234] #PF: error_code(0x0000) - not-present page\n[ +0.005232] PGD 0 P4D 0\n[ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G B W L 6.7.0+ #4\n[ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 \u003c48\u003e 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c\n[ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282\n[ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa\n[ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0\n[ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c\n[ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010\n[ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000\n[ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000\n[ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0\n[ +0.007175] Call Trace:\n[ +0.002561] \u003cTASK\u003e\n[ +0.002141] ? show_regs+0x6a/0x80\n[ +0.003473] ? __die+0x25/0x70\n[ +0.003124] ? page_fault_oops+0x214/0x720\n[ +0.004179] ? preempt_count_sub+0x18/0xc0\n[ +0.004093] ? __pfx_page_fault_oops+0x10/0x10\n[ +0.004590] ? srso_return_thunk+0x5/0x5f\n[ +0.004000] ? vprintk_default+0x1d/0x30\n[ +0.004063] ? srso_return_thunk+0x5/0x5f\n[ +0.004087] ? vprintk+0x5c/0x90\n[ +0.003296] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.005807] ? srso_return_thunk+0x5/0x5f\n[ +0.004090] ? _printk+0xb3/0xe0\n[ +0.003293] ? __pfx__printk+0x10/0x10\n[ +0.003735] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.005482] ? do_user_addr_fault+0x345/0x770\n[ +0.004361] ? exc_page_fault+0x64/0xf0\n[ +0.003972] ? asm_exc_page_fault+0x27/0x30\n[ +0.004271] ? add_taint+0x2a/0xa0\n[ +0.003476] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.005812] amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu]\n[ +0.009530] ? finish_task_switch.isra.0+0x129/0x470\n[ +0.005068] ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu]\n[ +0.010063] ? __kasan_check_write+0x14/0x20\n[ +0.004356] ? srso_return_thunk+0x5/0x5f\n[ +0.004001] ? mutex_unlock+0x81/0xd0\n[ +0.003802] ? srso_return_thunk+0x5/0x5f\n[ +0.004096] amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu]\n[ +0.009355] ? __pfx_\n---truncated---",
"id": "GHSA-fr3q-v98q-fwq5",
"modified": "2024-04-03T15:30:41Z",
"published": "2024-04-02T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26657"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54b5b7275dfdec35812ccce70930cd7c4ee612b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74cd204c7afe498aa9dcc3ebf0ecac53d477a429"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f34e8bb7d6c6626933fe993e03ed59ae85e16abb"
}
],
"schema_version": "1.4.0",
"severity": []
}