| The CVE-2020-36788 vulnerability exists in the Linux kernel's drm/nouveau module, specifically in the `nouveau_bo_init()` function. This function is backed by `ttm_bo_init()`, which returns an error code that is propagated back to the caller. However, when `ttm_bo_init()` fails, it invokes a destructor that de-initializes and frees the memory allocated for the BO (Buffer Object). |
| |
| The issue arises because `nouveau_bo_init()` releases the GEM object and frees the memory using `nouveau_bo_del_ttm()` when an error occurs. This leads to a use-after-free scenario, where the freed memory is still being accessed. |
| |
| The vulnerability was introduced in kernel version 5.4 with commit 019cbd4a4feb and was fixed in versions 5.10.73, 5.14.12, and 5.15 with commits f86e19d918a8, 548f2ff8ea5e, and bcf34aa5082e, respectively. The affected file is `drivers/gpu/drm/nouveau/nouveau_gem.c`. |
| |
| To mitigate this issue, the Linux kernel CVE team recommends updating to the latest stable kernel version. If updating is not possible, individual changes can be cherry-picked from the commits listed above, but this approach is not recommended or supported by the Linux kernel community. |
| |
