Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com

CVE-2024-26656

Description

In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: fix use-after-free bugThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctlto the AMDGPU DRM driver on any ASICs with an invalid address and size.The bug was reported by Joonkyo Jung .For example the following code:static void Syzkaller1(int fd){ struct drm_amdgpu_gem_userptr arg; int ret; arg.addr = 0xffffffffffff0000; arg.size = 0x80000000; /*2 Gb*/ arg.flags = 0x7; ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);}Due to the address and size are not valid there is a failure inamdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->check_shl_overflow, but we even the amdgpu_hmm_register failure we still callamdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.The following stack is below when the issue is reproduced when Kazan is enabled:[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0[ +0.000010] Call Trace:[ +0.000006] [ +0.000007] ? show_regs+0x6a/0x80[ +0.000018] ? __warn+0xa5/0x1b0[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340[ +0.000018] ? report_bug+0x24a/0x290[ +0.000022] ? handle_bug+0x46/0x90[ +0.000015] ? exc_invalid_op+0x19/0x50[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20[ +0.000017] ? kasan_save_stack+0x26/0x50[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30[ +0.000018] ? srso_return_thunk+0x5/0x5f[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0[ +0.000018] ? srso_return_thunk+0x5/0x5f[ +0.000013] ? __kasan_check_read+0x11/0x20[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu][ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu][ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu][ +0.004291] ? do_syscall_64+0x5f/0xe0[ +0.000023] ? srso_return_thunk+0x5/0x5f[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm][ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu][ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu][ +0.004270] ? srso_return_thunk+0x5/0x5f[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20[ +0.000015] ? srso_return_thunk+0x5/0x5f[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0[ +0.000020] ? srso_return_thunk+0x5/0x5f[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm][ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu][ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm][ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm][ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu][ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d---truncated---

POC

Reference

No PoCs from references.

Github

- https://github.com/fkie-cad/nvd-json-data-feeds

- https://github.com/w4zu/Debian_security