cve/published/2024/CVE-2024-41094.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41094: drm/fbdev-dma: Only set smem_start is enable per module option

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/fbdev-dma: Only set smem_start is enable per module option

 Only export struct fb_info.fix.smem_start if that is required by the
 user and the memory does not come from vmalloc().

 Setting struct fb_info.fix.smem_start breaks systems where DMA
 memory is backed by vmalloc address space. An example error is
 shown below.

 [    3.536043] ------------[ cut here ]------------
 [    3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000)
 [    3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98
 [    3.565455] Modules linked in:
 [    3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250
 [    3.577310] Hardware name: NXP i.MX95 19X19 board (DT)
 [    3.582452] Workqueue: events_unbound deferred_probe_work_func
 [    3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 [    3.595233] pc : __virt_to_phys+0x68/0x98
 [    3.599246] lr : __virt_to_phys+0x68/0x98
 [    3.603276] sp : ffff800083603990
 [    3.677939] Call trace:
 [    3.680393]  __virt_to_phys+0x68/0x98
 [    3.684067]  drm_fbdev_dma_helper_fb_probe+0x138/0x238
 [    3.689214]  __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0
 [    3.695385]  drm_fb_helper_initial_config+0x4c/0x68
 [    3.700264]  drm_fbdev_dma_client_hotplug+0x8c/0xe0
 [    3.705161]  drm_client_register+0x60/0xb0
 [    3.709269]  drm_fbdev_dma_setup+0x94/0x148

 Additionally, DMA memory is assumed to by contiguous in physical
 address space, which is not guaranteed by vmalloc().

 Resolve this by checking the module flag drm_leak_fbdev_smem when
 DRM allocated the instance of struct fb_info. Fbdev-dma then only
 sets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also
 guarantee that the framebuffer is not located in vmalloc address
 space.

 The Linux kernel CVE team has assigned CVE-2024-41094 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit a51c7663f144606a5f08e772fa3e1e4f2277a614 and fixed in 6.6.37 with commit f29fcfbf6067c0d8c83f84a045da9276c08deac5
 	Issue introduced in 6.4 with commit a51c7663f144606a5f08e772fa3e1e4f2277a614 and fixed in 6.9.8 with commit 00702cfa8432ac67a72f56de5e1d278ddea2ebde
 	Issue introduced in 6.4 with commit a51c7663f144606a5f08e772fa3e1e4f2277a614 and fixed in 6.10 with commit d92a7580392ad4681b1d4f9275d00b95375ebe01

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41094
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/drm_fb_helper.c
 	drivers/gpu/drm/drm_fbdev_dma.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f29fcfbf6067c0d8c83f84a045da9276c08deac5
 	https://git.kernel.org/stable/c/00702cfa8432ac67a72f56de5e1d278ddea2ebde
 	https://git.kernel.org/stable/c/d92a7580392ad4681b1d4f9275d00b95375ebe01
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41094: drm/fbdev-dma: Only set smem_start is enable per module option

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/fbdev-dma: Only set smem_start is enable per module option

	Only export struct fb_info.fix.smem_start if that is required by the
	user and the memory does not come from vmalloc().

	Setting struct fb_info.fix.smem_start breaks systems where DMA
	memory is backed by vmalloc address space. An example error is
	shown below.

	[ 3.536043] ------------[ cut here ]------------
	[ 3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000)
	[ 3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98
	[ 3.565455] Modules linked in:
	[ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250
	[ 3.577310] Hardware name: NXP i.MX95 19X19 board (DT)
	[ 3.582452] Workqueue: events_unbound deferred_probe_work_func
	[ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	[ 3.595233] pc : __virt_to_phys+0x68/0x98
	[ 3.599246] lr : __virt_to_phys+0x68/0x98
	[ 3.603276] sp : ffff800083603990
	[ 3.677939] Call trace:
	[ 3.680393] __virt_to_phys+0x68/0x98
	[ 3.684067] drm_fbdev_dma_helper_fb_probe+0x138/0x238
	[ 3.689214] __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0
	[ 3.695385] drm_fb_helper_initial_config+0x4c/0x68
	[ 3.700264] drm_fbdev_dma_client_hotplug+0x8c/0xe0
	[ 3.705161] drm_client_register+0x60/0xb0
	[ 3.709269] drm_fbdev_dma_setup+0x94/0x148

	Additionally, DMA memory is assumed to by contiguous in physical
	address space, which is not guaranteed by vmalloc().

	Resolve this by checking the module flag drm_leak_fbdev_smem when
	DRM allocated the instance of struct fb_info. Fbdev-dma then only
	sets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also
	guarantee that the framebuffer is not located in vmalloc address
	space.

	The Linux kernel CVE team has assigned CVE-2024-41094 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit a51c7663f144606a5f08e772fa3e1e4f2277a614 and fixed in 6.6.37 with commit f29fcfbf6067c0d8c83f84a045da9276c08deac5
	Issue introduced in 6.4 with commit a51c7663f144606a5f08e772fa3e1e4f2277a614 and fixed in 6.9.8 with commit 00702cfa8432ac67a72f56de5e1d278ddea2ebde
	Issue introduced in 6.4 with commit a51c7663f144606a5f08e772fa3e1e4f2277a614 and fixed in 6.10 with commit d92a7580392ad4681b1d4f9275d00b95375ebe01

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41094
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/drm_fb_helper.c
	drivers/gpu/drm/drm_fbdev_dma.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f29fcfbf6067c0d8c83f84a045da9276c08deac5
	https://git.kernel.org/stable/c/00702cfa8432ac67a72f56de5e1d278ddea2ebde
	https://git.kernel.org/stable/c/d92a7580392ad4681b1d4f9275d00b95375ebe01