cve/published/2024/CVE-2024-46896.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46896: drm/amdgpu: don't access invalid sched

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/amdgpu: don't access invalid sched

 Since 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()")
 accessing job->base.sched can produce unexpected results as the initialisation
 of (*job)->base.sched done in amdgpu_job_alloc is overwritten by the
 memset.

 This commit fixes an issue when a CS would fail validation and would
 be rejected after job->num_ibs is incremented. In this case,
 amdgpu_ib_free(ring->adev, ...) will be called, which would crash the
 machine because the ring value is bogus.

 To fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this
 because the device is actually not used in this function.

 The next commit will remove the ring argument completely.

 (cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)

 The Linux kernel CVE team has assigned CVE-2024-46896 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.120 with commit 166df51487f46b6e997dfeea7ca0c2a970853f07 and fixed in 6.1.122 with commit 65501a4fd84ecdc0af863dbb37759242aab9f2dd
 	Issue introduced in 6.6.66 with commit 87210234e5a273ebf9c4110a6aa82b8221478daa and fixed in 6.6.68 with commit da6b2c626ae73c303378ce9eaf6e3eaf16c9925a
 	Issue introduced in 6.12.5 with commit 2da108b4b5fb7ec04d7e951418ed80e97f7c35ad and fixed in 6.12.7 with commit 67291d601f2b032062b1b2f60ffef1b63e10094c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46896
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/amd/amdgpu/amdgpu_job.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/65501a4fd84ecdc0af863dbb37759242aab9f2dd
 	https://git.kernel.org/stable/c/da6b2c626ae73c303378ce9eaf6e3eaf16c9925a
 	https://git.kernel.org/stable/c/67291d601f2b032062b1b2f60ffef1b63e10094c
 	https://git.kernel.org/stable/c/a93b1020eb9386d7da11608477121b10079c076a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46896: drm/amdgpu: don't access invalid sched

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/amdgpu: don't access invalid sched

	Since 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()")
	accessing job->base.sched can produce unexpected results as the initialisation
	of (*job)->base.sched done in amdgpu_job_alloc is overwritten by the
	memset.

	This commit fixes an issue when a CS would fail validation and would
	be rejected after job->num_ibs is incremented. In this case,
	amdgpu_ib_free(ring->adev, ...) will be called, which would crash the
	machine because the ring value is bogus.

	To fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this
	because the device is actually not used in this function.

	The next commit will remove the ring argument completely.

	(cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)

	The Linux kernel CVE team has assigned CVE-2024-46896 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.120 with commit 166df51487f46b6e997dfeea7ca0c2a970853f07 and fixed in 6.1.122 with commit 65501a4fd84ecdc0af863dbb37759242aab9f2dd
	Issue introduced in 6.6.66 with commit 87210234e5a273ebf9c4110a6aa82b8221478daa and fixed in 6.6.68 with commit da6b2c626ae73c303378ce9eaf6e3eaf16c9925a
	Issue introduced in 6.12.5 with commit 2da108b4b5fb7ec04d7e951418ed80e97f7c35ad and fixed in 6.12.7 with commit 67291d601f2b032062b1b2f60ffef1b63e10094c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46896
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/amd/amdgpu/amdgpu_job.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/65501a4fd84ecdc0af863dbb37759242aab9f2dd
	https://git.kernel.org/stable/c/da6b2c626ae73c303378ce9eaf6e3eaf16c9925a
	https://git.kernel.org/stable/c/67291d601f2b032062b1b2f60ffef1b63e10094c
	https://git.kernel.org/stable/c/a93b1020eb9386d7da11608477121b10079c076a