cve/published/2024/CVE-2024-26940.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26940: drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed

 The driver creates /sys/kernel/debug/dri/0/mob_ttm even when the
 corresponding ttm_resource_manager is not allocated.
 This leads to a crash when trying to read from this file.

 Add a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file
 only when the corresponding ttm_resource_manager is allocated.

 crash> bt
 PID: 3133409  TASK: ffff8fe4834a5000  CPU: 3    COMMAND: "grep"
  #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3
  #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a
  #2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1
  #3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1
  #4 [ffffb954506b3c70] no_context at ffffffffb2a7e913
  #5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c
  #6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887
  #7 [ffffb954506b3d40] page_fault at ffffffffb360116e
     [exception RIP: ttm_resource_manager_debug+0x11]
     RIP: ffffffffc04afd11  RSP: ffffb954506b3df0  RFLAGS: 00010246
     RAX: ffff8fe41a6d1200  RBX: 0000000000000000  RCX: 0000000000000940
     RDX: 0000000000000000  RSI: ffffffffc04b4338  RDI: 0000000000000000
     RBP: ffffb954506b3e08   R8: ffff8fee3ffad000   R9: 0000000000000000
     R10: ffff8fe41a76a000  R11: 0000000000000001  R12: 00000000ffffffff
     R13: 0000000000000001  R14: ffff8fe5bb6f3900  R15: ffff8fe41a6d1200
     ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
  #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]
  #9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3
     RIP: 00007f4c4eda8985  RSP: 00007ffdbba9e9f8  RFLAGS: 00000246
     RAX: ffffffffffffffda  RBX: 000000000037e000  RCX: 00007f4c4eda8985
     RDX: 000000000037e000  RSI: 00007f4c41573000  RDI: 0000000000000003
     RBP: 000000000037e000   R8: 0000000000000000   R9: 000000000037fe30
     R10: 0000000000000000  R11: 0000000000000246  R12: 00007f4c41573000
     R13: 0000000000000003  R14: 00007f4c41572010  R15: 0000000000000003
     ORIG_RAX: 0000000000000000  CS: 0033  SS: 002b

 The Linux kernel CVE team has assigned CVE-2024-26940 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.1.84 with commit 016119154981d81c9e8f2ea3f56b9e2b4ea14500
 	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.6.24 with commit 042ef0afc40fa1a22b3608f22915b91ce39d128f
 	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.7.12 with commit 25e3ce59c1200f1f0563e39de151f34962ab0fe1
 	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.8.3 with commit eb08db0fc5354fa17b7ed66dab3c503332423451
 	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.9 with commit 4be9075fec0a639384ed19975634b662bfab938f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26940
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/vmwgfx/vmwgfx_drv.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/016119154981d81c9e8f2ea3f56b9e2b4ea14500
 	https://git.kernel.org/stable/c/042ef0afc40fa1a22b3608f22915b91ce39d128f
 	https://git.kernel.org/stable/c/25e3ce59c1200f1f0563e39de151f34962ab0fe1
 	https://git.kernel.org/stable/c/eb08db0fc5354fa17b7ed66dab3c503332423451
 	https://git.kernel.org/stable/c/4be9075fec0a639384ed19975634b662bfab938f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26940: drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed

	The driver creates /sys/kernel/debug/dri/0/mob_ttm even when the
	corresponding ttm_resource_manager is not allocated.
	This leads to a crash when trying to read from this file.

	Add a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file
	only when the corresponding ttm_resource_manager is allocated.

	crash> bt
	PID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: "grep"
	#0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3
	#1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a
	#2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1
	#3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1
	#4 [ffffb954506b3c70] no_context at ffffffffb2a7e913
	#5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c
	#6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887
	#7 [ffffb954506b3d40] page_fault at ffffffffb360116e
	[exception RIP: ttm_resource_manager_debug+0x11]
	RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246
	RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940
	RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000
	RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000
	R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff
	R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200
	ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
	#8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]
	#9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3
	RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246
	RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985
	RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003
	RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30
	R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000
	R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003
	ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b

	The Linux kernel CVE team has assigned CVE-2024-26940 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.1.84 with commit 016119154981d81c9e8f2ea3f56b9e2b4ea14500
	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.6.24 with commit 042ef0afc40fa1a22b3608f22915b91ce39d128f
	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.7.12 with commit 25e3ce59c1200f1f0563e39de151f34962ab0fe1
	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.8.3 with commit eb08db0fc5354fa17b7ed66dab3c503332423451
	Issue introduced in 5.19 with commit af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 and fixed in 6.9 with commit 4be9075fec0a639384ed19975634b662bfab938f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26940
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/vmwgfx/vmwgfx_drv.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/016119154981d81c9e8f2ea3f56b9e2b4ea14500
	https://git.kernel.org/stable/c/042ef0afc40fa1a22b3608f22915b91ce39d128f
	https://git.kernel.org/stable/c/25e3ce59c1200f1f0563e39de151f34962ab0fe1
	https://git.kernel.org/stable/c/eb08db0fc5354fa17b7ed66dab3c503332423451
	https://git.kernel.org/stable/c/4be9075fec0a639384ed19975634b662bfab938f