GHSA-54P6-R4CP-P6QQ

Vulnerability from github – Published: 2024-07-29 18:30 – Updated: 2024-08-22 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/fbdev-dma: Only set smem_start is enable per module option

Only export struct fb_info.fix.smem_start if that is required by the user and the memory does not come from vmalloc().

Setting struct fb_info.fix.smem_start breaks systems where DMA memory is backed by vmalloc address space. An example error is shown below.

[ 3.536043] ------------[ cut here ]------------ [ 3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000) [ 3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98 [ 3.565455] Modules linked in: [ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250 [ 3.577310] Hardware name: NXP i.MX95 19X19 board (DT) [ 3.582452] Workqueue: events_unbound deferred_probe_work_func [ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3.595233] pc : __virt_to_phys+0x68/0x98 [ 3.599246] lr : __virt_to_phys+0x68/0x98 [ 3.603276] sp : ffff800083603990 [ 3.677939] Call trace: [ 3.680393] __virt_to_phys+0x68/0x98 [ 3.684067] drm_fbdev_dma_helper_fb_probe+0x138/0x238 [ 3.689214] __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0 [ 3.695385] drm_fb_helper_initial_config+0x4c/0x68 [ 3.700264] drm_fbdev_dma_client_hotplug+0x8c/0xe0 [ 3.705161] drm_client_register+0x60/0xb0 [ 3.709269] drm_fbdev_dma_setup+0x94/0x148

Additionally, DMA memory is assumed to by contiguous in physical address space, which is not guaranteed by vmalloc().

Resolve this by checking the module flag drm_leak_fbdev_smem when DRM allocated the instance of struct fb_info. Fbdev-dma then only sets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also guarantee that the framebuffer is not located in vmalloc address space.

Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-41094"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T16:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-dma: Only set smem_start is enable per module option\n\nOnly export struct fb_info.fix.smem_start if that is required by the\nuser and the memory does not come from vmalloc().\n\nSetting struct fb_info.fix.smem_start breaks systems where DMA\nmemory is backed by vmalloc address space. An example error is\nshown below.\n\n[    3.536043] ------------[ cut here ]------------\n[    3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000)\n[    3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98\n[    3.565455] Modules linked in:\n[    3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250\n[    3.577310] Hardware name: NXP i.MX95 19X19 board (DT)\n[    3.582452] Workqueue: events_unbound deferred_probe_work_func\n[    3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    3.595233] pc : __virt_to_phys+0x68/0x98\n[    3.599246] lr : __virt_to_phys+0x68/0x98\n[    3.603276] sp : ffff800083603990\n[    3.677939] Call trace:\n[    3.680393]  __virt_to_phys+0x68/0x98\n[    3.684067]  drm_fbdev_dma_helper_fb_probe+0x138/0x238\n[    3.689214]  __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0\n[    3.695385]  drm_fb_helper_initial_config+0x4c/0x68\n[    3.700264]  drm_fbdev_dma_client_hotplug+0x8c/0xe0\n[    3.705161]  drm_client_register+0x60/0xb0\n[    3.709269]  drm_fbdev_dma_setup+0x94/0x148\n\nAdditionally, DMA memory is assumed to by contiguous in physical\naddress space, which is not guaranteed by vmalloc().\n\nResolve this by checking the module flag drm_leak_fbdev_smem when\nDRM allocated the instance of struct fb_info. Fbdev-dma then only\nsets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also\nguarantee that the framebuffer is not located in vmalloc address\nspace.",
  "id": "GHSA-54p6-r4cp-p6qq",
  "modified": "2024-08-22T15:31:18Z",
  "published": "2024-07-29T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41094"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/00702cfa8432ac67a72f56de5e1d278ddea2ebde"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d92a7580392ad4681b1d4f9275d00b95375ebe01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f29fcfbf6067c0d8c83f84a045da9276c08deac5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.