| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52817: drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL |
| |
| In certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log: |
| |
| 1. Navigate to the directory: /sys/kernel/debug/dri/0 |
| 2. Execute command: cat amdgpu_regs_smc |
| 3. Exception Log:: |
| [4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000 |
| [4005007.702562] #PF: supervisor instruction fetch in kernel mode |
| [4005007.702567] #PF: error_code(0x0010) - not-present page |
| [4005007.702570] PGD 0 P4D 0 |
| [4005007.702576] Oops: 0010 [#1] SMP NOPTI |
| [4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u |
| [4005007.702590] RIP: 0010:0x0 |
| [4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. |
| [4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 |
| [4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 |
| [4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 |
| [4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 |
| [4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 |
| [4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 |
| [4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 |
| [4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| [4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 |
| [4005007.702633] Call Trace: |
| [4005007.702636] <TASK> |
| [4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu] |
| [4005007.703002] full_proxy_read+0x5c/0x80 |
| [4005007.703011] vfs_read+0x9f/0x1a0 |
| [4005007.703019] ksys_read+0x67/0xe0 |
| [4005007.703023] __x64_sys_read+0x19/0x20 |
| [4005007.703028] do_syscall_64+0x5c/0xc0 |
| [4005007.703034] ? do_user_addr_fault+0x1e3/0x670 |
| [4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0 |
| [4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20 |
| [4005007.703052] ? irqentry_exit+0x19/0x30 |
| [4005007.703057] ? exc_page_fault+0x89/0x160 |
| [4005007.703062] ? asm_exc_page_fault+0x8/0x30 |
| [4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae |
| [4005007.703075] RIP: 0033:0x7f5e07672992 |
| [4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24 |
| [4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 |
| [4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992 |
| [4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003 |
| [4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010 |
| [4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000 |
| [4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 |
| [4005007.703105] </TASK> |
| [4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca |
| [4005007.703184] CR2: 0000000000000000 |
| [4005007.703188] ---[ end trace ac65a538d240da39 ]--- |
| [4005007.800865] RIP: 0010:0x0 |
| [4005007.800871] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. |
| [4005007.800874] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 |
| [4005007.800878] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 |
| [4005007.800881] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 |
| [4005007.800883] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 |
| [4005007.800886] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 |
| [4005007.800888] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 |
| [4005007.800891] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 |
| [4005007.800895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| [4005007.800898] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 |
| |
| The Linux kernel CVE team has assigned CVE-2023-52817 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 4.19.300 with commit bf2d51eedf03bd61e3556e35d74d49e2e6112398 |
| Fixed in 5.4.262 with commit 437e0fa907ba39b4d7eda863c03ea9cf48bd93a9 |
| Fixed in 5.10.202 with commit f475d5502f33a6c5b149b0afe96316ad1962a64a |
| Fixed in 5.15.140 with commit 174f62a0aa15c211e60208b41ee9e7cdfb73d455 |
| Fixed in 6.1.64 with commit 6c1b3d89a2dda79881726bb6e37af19c0936d736 |
| Fixed in 6.5.13 with commit 820daf9ffe2b0afb804567b10983fb38bc5ae288 |
| Fixed in 6.6.3 with commit ba3c0796d292de84f2932cc5bbb0f771fc720996 |
| Fixed in 6.7 with commit 5104fdf50d326db2c1a994f8b35dcd46e63ae4ad |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52817 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/bf2d51eedf03bd61e3556e35d74d49e2e6112398 |
| https://git.kernel.org/stable/c/437e0fa907ba39b4d7eda863c03ea9cf48bd93a9 |
| https://git.kernel.org/stable/c/f475d5502f33a6c5b149b0afe96316ad1962a64a |
| https://git.kernel.org/stable/c/174f62a0aa15c211e60208b41ee9e7cdfb73d455 |
| https://git.kernel.org/stable/c/6c1b3d89a2dda79881726bb6e37af19c0936d736 |
| https://git.kernel.org/stable/c/820daf9ffe2b0afb804567b10983fb38bc5ae288 |
| https://git.kernel.org/stable/c/ba3c0796d292de84f2932cc5bbb0f771fc720996 |
| https://git.kernel.org/stable/c/5104fdf50d326db2c1a994f8b35dcd46e63ae4ad |
