cve/published/2024/CVE-2024-56652.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56652: drm/xe/reg_sr: Remove register pool

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/xe/reg_sr: Remove register pool

 That pool implementation doesn't really work: if the krealloc happens to
 move the memory and return another address, the entries in the xarray
 become invalid, leading to use-after-free later:

 	BUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe]
 	Read of size 4 at addr ffff8881244b2590 by task modprobe/2753

 	Allocated by task 2753:
 	 kasan_save_stack+0x39/0x70
 	 kasan_save_track+0x14/0x40
 	 kasan_save_alloc_info+0x37/0x60
 	 __kasan_kmalloc+0xc3/0xd0
 	 __kmalloc_node_track_caller_noprof+0x200/0x6d0
 	 krealloc_noprof+0x229/0x380

 Simplify the code to fix the bug. A better pooling strategy may be added
 back later if needed.

 (cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4)

 The Linux kernel CVE team has assigned CVE-2024-56652 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit dd08ebf6c3525a7ea2186e636df064ea47281987 and fixed in 6.12.6 with commit b0193a31a0ca5a0f9e60bb4a86537d46b98111b8
 	Issue introduced in 6.8 with commit dd08ebf6c3525a7ea2186e636df064ea47281987 and fixed in 6.13 with commit d7b028656c29b22fcde1c6ee1df5b28fbba987b5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56652
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/xe/xe_reg_sr.c
 	drivers/gpu/drm/xe/xe_reg_sr_types.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b0193a31a0ca5a0f9e60bb4a86537d46b98111b8
 	https://git.kernel.org/stable/c/d7b028656c29b22fcde1c6ee1df5b28fbba987b5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56652: drm/xe/reg_sr: Remove register pool

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/xe/reg_sr: Remove register pool

	That pool implementation doesn't really work: if the krealloc happens to
	move the memory and return another address, the entries in the xarray
	become invalid, leading to use-after-free later:

	BUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe]
	Read of size 4 at addr ffff8881244b2590 by task modprobe/2753

	Allocated by task 2753:
	kasan_save_stack+0x39/0x70
	kasan_save_track+0x14/0x40
	kasan_save_alloc_info+0x37/0x60
	__kasan_kmalloc+0xc3/0xd0
	__kmalloc_node_track_caller_noprof+0x200/0x6d0
	krealloc_noprof+0x229/0x380

	Simplify the code to fix the bug. A better pooling strategy may be added
	back later if needed.

	(cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4)

	The Linux kernel CVE team has assigned CVE-2024-56652 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit dd08ebf6c3525a7ea2186e636df064ea47281987 and fixed in 6.12.6 with commit b0193a31a0ca5a0f9e60bb4a86537d46b98111b8
	Issue introduced in 6.8 with commit dd08ebf6c3525a7ea2186e636df064ea47281987 and fixed in 6.13 with commit d7b028656c29b22fcde1c6ee1df5b28fbba987b5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56652
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/xe/xe_reg_sr.c
	drivers/gpu/drm/xe/xe_reg_sr_types.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b0193a31a0ca5a0f9e60bb4a86537d46b98111b8
	https://git.kernel.org/stable/c/d7b028656c29b22fcde1c6ee1df5b28fbba987b5