In the Linux kernel, a vulnerability has been resolved with a modification in the implementation of the Direct Rendering Manager (drm) component for vmwgfx. The vulnerability concerns the creation of debugfs ttm_resource_manager entries even when they are not needed, which leads to crashes.
Vulnerability Details
The driver creates the path /sys/kernel/debug/dri//mob_ttm even when the related ttm_resource_manager is not allocated. This results in a crash when trying to read from the file. To address this issue, a check has been added so that the mob_ttm, system_mob_ttm, and gmr_ttm debug files are created only when the corresponding ttm_resource_manager is allocated.
Here is the original reference for the reported kernel crash: Kernel crash report
The crash occurs in this manner
crash> bt
...
#5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c
...
#7 [ffffb954506b3d40] page_fault at ffffffffb360116e
[exception RIP: ttm_resource_manager_debug+x11]
...
#8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]
...
The following code snippet shows the added check in the Linux kernel
+if (bo->resv->lock->ttm_res_man)
+ seq_printf(m, " [%7s %9d]%*s%*s%*s%*s [%7s %9d]%*s%*s\n",
+ bo->resv->lock->ttm_res_man->name,
+ atomic_read(&bo->resv->lock->ttm_res_man->count),
+ nk, "", ni, "", nd, "", nc, "",
+ bo->resv->lock->ttm_res_man->name,
+ atomic_read(&bo->resv->lock->ttt_res_man->count),
+ ni, "", nd, "");
To prevent the kernel from crashing in the mentioned scenario, the system will now only create the mob_ttm, system_mob_ttm, and gmr_ttm debug files when the corresponding ttm_resource_manager is allocated. This eliminates the possibility of attempting to read these files when they are not required, removing the vulnerability and stabilizing the system.
For more information about this update, refer to the Linux kernel CVE-2024-26940 documentation.
Timeline
Published on: 05/01/2024 06:15:09 UTC
Last modified on: 11/04/2024 19:35:06 UTC