| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025011141-CVE-2024-46896-8e7c@gregkh>
Date: Sat, 11 Jan 2025 13:35:43 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-46896: drm/amdgpu: don't access invalid sched
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: don't access invalid sched
Since 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()")
accessing job->base.sched can produce unexpected results as the initialisation
of (*job)->base.sched done in amdgpu_job_alloc is overwritten by the
memset.
This commit fixes an issue when a CS would fail validation and would
be rejected after job->num_ibs is incremented. In this case,
amdgpu_ib_free(ring->adev, ...) will be called, which would crash the
machine because the ring value is bogus.
To fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this
because the device is actually not used in this function.
The next commit will remove the ring argument completely.
(cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)
The Linux kernel CVE team has assigned CVE-2024-46896 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.1.120 with commit 166df51487f46b6e997dfeea7ca0c2a970853f07 and fixed in 6.1.122 with commit 65501a4fd84ecdc0af863dbb37759242aab9f2dd
Issue introduced in 6.6.66 with commit 87210234e5a273ebf9c4110a6aa82b8221478daa and fixed in 6.6.68 with commit da6b2c626ae73c303378ce9eaf6e3eaf16c9925a
Issue introduced in 6.12.5 with commit 2da108b4b5fb7ec04d7e951418ed80e97f7c35ad and fixed in 6.12.7 with commit 67291d601f2b032062b1b2f60ffef1b63e10094c
Issue introduced in 6.13-rc1 with commit 2320c9e6a768d135c7b0039995182bb1a4e4fd22 and fixed in 6.13-rc4 with commit a93b1020eb9386d7da11608477121b10079c076a
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-46896
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/65501a4fd84ecdc0af863dbb37759242aab9f2dd
https://git.kernel.org/stable/c/da6b2c626ae73c303378ce9eaf6e3eaf16c9925a
https://git.kernel.org/stable/c/67291d601f2b032062b1b2f60ffef1b63e10094c
https://git.kernel.org/stable/c/a93b1020eb9386d7da11608477121b10079c076a
Powered by blists - more mailing lists