CVE-2024-26940 - Linux Kernel drm/vmwgfx DebugFS Crash and Exploit Explained

CVE-2024-26940 is a vulnerability in the Linux kernel’s drm/vmwgfx driver. This issue involved how debug files were created even when their underlying memory managers weren’t set up—leading to a kernel crash if those files were accessed. In this post, we’ll break down the vulnerability, its impact, give code snippets, explain how you could trigger it, and point to original references.

Technical Details: What Went Wrong?

The bug originates in the drm/vmwgfx driver, used for VMware and some virtual GPUs. This driver creates several debug files under /sys/kernel/debug/dri// to expose GPU resource manager stats.

Previously, the driver would always create debug files like

- /sys/kernel/debug/dri//mob_ttm
- /sys/kernel/debug/dri//system_mob_ttm
- /sys/kernel/debug/dri//gmr_ttm

regardless of whether the underlying ttm_resource_manager existed.

If you tried to read from a file without a real manager backing it, the read handler would follow a NULL pointer—which crashes the kernel.

Example crash:
(Notice the call stack enters ttm_resource_manager_debug with a NULL resource.)

crash> bt
PID: 3133409  TASK: ffff8fe4834a500  CPU: 3    COMMAND: "grep"
 # [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3
 #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a
...
 #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]
 ... 

Who’s Affected and Impact

Any system with the vmwgfx kernel module *loaded* is a potential target—especially virtual machines running on VMware that have debugging enabled (CONFIG_DEBUG_FS).

Exploit Proof-of-Concept

cat /sys/kernel/debug/dri//mob_ttm
# If mob_ttm isn't backed, this could panic the system!

Original Buggy Code (Simplified)

// Always created the debugfs entry!
debugfs_create_file("mob_ttm", S_IRUGO, parent, &manager, &ttm_resource_manager_fops);

The Fix

The fix is simple—only create the file if the ttm_resource_manager exists:

if (mob_manager) {
    debugfs_create_file("mob_ttm", S_IRUGO, parent, mob_manager, &ttm_resource_manager_fops);
}

See the Patch: drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed for upstream details.

Exploitation Steps

As a normal user, if you have read permissions on DebugFS (sometimes required for troubleshooting in distros or dev setups):

If not, as root

mount -t debugfs debugfs /sys/kernel/debug

`shell

cd /sys/kernel/debug/dri//

How Bad Is It?

- System crash (kernel panic/reboot)

Mitigation & Patch

- Upgrade your kernel to include this patch.

Upstreams

- LKML Fix Thread
- Patch in Torvalds’ tree

Final Thoughts

CVE-2024-26940 is a classic example of a “footgun” in kernel driver debug code: always double-check what you’re exposing, and don’t offer up interfaces for data that doesn’t exist. Even debug tooling can take down a system!

References

- drm/vmwgfx GitHub
- Linux kernel official patch
- CVE-2024-26940 entry (CVE Details)

*Stay secure, and always treat your debug interfaces with care!*

Timeline

Published on: 05/01/2024 06:15:09 UTC
Last modified on: 11/04/2024 19:35:06 UTC