CVE-2024-41092

{"id": "CVE-2024-41092", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-07-29T16:15:04.383", "references": [{"url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\n...\n<4>[ 609.603992] ------------[ cut here ]------------\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n<4>[ 609.604271] Call Trace:\n<4>[ 609.604273] <TASK>\n...\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma->active via fence_update(). That commit introduced\nvma->fence->active in order for the fence_update() to be able to wait\nselectively on that one instead of vma->active since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\nNo justification was provided on why we might then expect idleness of\nvma->fence->active without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/i915/gt: corrige un posible UAF mediante la revocaci\u00f3n de los registros de valla. CI ha estado informando espor\u00e1dicamente el siguiente problema provocado por igt@i915_selftest@live@hangcheck en ADL-P y m\u00e1quinas similares. : &lt;6&gt; [414.049203] I915: ejecutando Intel_hangcheck_live_SelfTests/IGT_RESET_EVICT_FENCE ... &lt;6&gt; [414.068804] I915 0000: 00: 02.0: [DRM] GT0: GUC: CUBLICIDAD : [drm] GT0: GUC: SLPC habilitado &lt;3&gt; [414.070354] No se puede fijar la cerca con mosaicos en Y; err:-4 &lt;3&gt; [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&amp;fence-&gt;active)) ... &lt;4&gt;[ 609.603992] ------------[ cortar aqu\u00ed ]- ----------- &lt;2&gt;[ 609.603995] \u00a1ERROR del kernel en drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301! &lt;4&gt;[ 609.604003] c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP NOPTI &lt;4&gt;[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Contaminado: GUW 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1 &lt;4 &gt;[ 609.604008] Nombre del hardware: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 20/01/2023 &lt;4&gt;[ 609.604010] Cola de trabajo: i915 __i915_gem_free_work [i915] &lt;4 &gt;[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915] ... &lt;4&gt;[ 609.604271] Seguimiento de llamadas: &lt;4&gt;[ 609.604273] ... &lt;4&gt;[ 609.604716] ct+0x2e9/ 0x550 [i915] &lt;4&gt;[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915] &lt;4&gt;[ 609.604977] force_unbind+0x24/0xa0 [i915] &lt;4&gt;[ 609.605098] x2f/0xa0 [i915] &lt;4&gt;[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915] &lt;4&gt;[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915] &lt;4&gt;[ 609.605440 process_scheduled_works+0x351/0x690... En el pasado, hubo fallas similares informado por CI de otras pruebas de IGT, observado en otras plataformas. Antes de confirmar 63baf4f3d587 (\"drm/i915/gt: solo espere la actividad de la GPU antes de desvincular una valla GGTT\"), i915_vma_revoke_fence() estaba esperando la inactividad de vma-&gt;active a trav\u00e9s de fence_update(). Ese compromiso introdujo vma-&gt;fence-&gt;active para que fence_update() pudiera esperar selectivamente en ese en lugar de vma-&gt;active, ya que solo se necesitaba la inactividad de los registros de cerca. Pero luego, otra confirmaci\u00f3n 0d86ee35097a (\"drm/i915/gt: Hacer que la revocaci\u00f3n de la valla sea inequ\u00edvoca\") reemplaz\u00f3 la llamada a fence_update() en i915_vma_revoke_fence() con solo fence_write(), y tambi\u00e9n agreg\u00f3 que GEM_BUG_ON(!i915_active_is_idle(&amp;fence-&gt;active )) Al frente. No se proporcion\u00f3 ninguna justificaci\u00f3n sobre por qu\u00e9 podr\u00edamos esperar que vma-&gt;fence-&gt;active est\u00e9 inactivo sin esperarlo primero. El problema puede deberse potencialmente a una carrera entre la revocaci\u00f3n de registros de valla por un lado y la ejecuci\u00f3n secuencial de devoluciones de llamadas de se\u00f1ales invocadas al completar una solicitud que las estaba usando por el otro, a\u00fan procesadas en paralelo a la revocaci\u00f3n de esos registros de valla. Solucionelo esperando a que vma-&gt;fence-&gt;active est\u00e9 inactivo en i915_vma_revoke_fence(). (cereza escogida del compromiso 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)"}], "lastModified": "2024-11-21T09:32:13.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C4870DD-D890-4898-91A0-A77991EB51FB", "versionEndExcluding": "5.10.221", "versionStartIncluding": "5.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10A39ACC-3005-40E8-875C-98A372D1FFD5", "versionEndExcluding": "5.15.162", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "748B6C4B-1F61-47F9-96CC-8899B8412D84", "versionEndExcluding": "6.1.97", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D72E033B-5323-4C4D-8818-36E1EBC3535F", "versionEndExcluding": "6.6.37", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E95105F2-32E3-4C5F-9D18-7AEFD0E6275C", "versionEndExcluding": "6.9.8", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}