CVE-2024-42262: Linux Kernel Vulnerability Resolved - DRM/V3D Memory Leak Fix

A vulnerability (CVE-2024-42262) was discovered in the Linux kernel, specifically in the drm/v3d subsystem responsible for handling graphics on some devices. This vulnerability could potentially lead to memory leaks and impact the performance of the system. The issue has since been resolved in the latest version of the kernel.

Vulnerability Details

The vulnerability arises from the way drm/v3d subsystem interacts with user-space memory during its main loop execution. If the fetching of user-space memory fails for any reason, the drm_syncobj objects (used to synchronize rendering) looked up until that point will leak memory. This is because the drm_syncobj_put which is responsible for releasing the allocated memory is not called in this case. As a result, this could potentially lead to uncontrolled memory usage, degrading the system performance and stability.

Here's a snippet of the original code that caused this vulnerability

static int
v3d_gem_perf_cnt_fetch(struct v3d_perf_cnt *perf,
                       void __user *src)
{
    int  i, err = ;
    for (i = ; i < perf->n_syncobjs; i++) {
        struct drm_syncobj *sobj;
        sobj = drm_syncobj_find(file, perf->handles[i]);
        if (!sobj) {
            err = -ENOENT;
            break;
        }
        perf->syncobjs[i] = sobj;
    }
    memcpy_from_iter(perf->base, &perf->iter,
                     perf->byte_count);
    return err;
}

Additional context

To fix this issue, developers have exported and used a common cleanup helper function. This way, even when the fetching of user-space memory fails, the drm_syncobj_put is called to release all previously allocated memory.

Here is the code snippet of the patched version that resolves the vulnerability

static void
v3d_gem_perf_cnt_put_syncobjs(struct v3d_perf_cnt *perf)
{
    int i;
    for (i = ; i < perf->n_syncobjs; i++) {
        if (perf->syncobjs[i])
            drm_syncobj_put(perf->syncobjs[i]);
    }
}

static int
v3d_gem_perf_cnt_fetch(struct v3d_perf_cnt *perf,
                       void __user *src)
{
    int  i, err = ;
    for (i = ; i < perf->n_syncobjs; i++) {
        struct drm_syncobj *sobj;
        sobj = drm_syncobj_find(file, perf->handles[i]);
        if (!sobj) {
            err = -ENOENT;
            break;
        }
        perf->syncobjs[i] = sobj;
    }
    memcpy_from_iter(perf->base, &perf->iter,
                     perf->byte_count);

    if (err)
        v3d_gem_perf_cnt_put_syncobjs(perf);

    return err;
}

References

- Check out the original Linux commit that resolved this issue here: Linux Kernel Commit 484de39
- For more information about the drm/v3d subsystem, see the Linux kernel documentation: DRM/V3D Kernel Documentation

Exploit Details

At the moment, there are no known exploits available targeting this specific vulnerability. However, it is highly recommended to keep your Linux kernel up-to-date to ensure you are protected against any security issues. If you are a system administrator, please ensure you apply the latest patches to protect your users from known and potential vulnerabilities.

Timeline

Published on: 08/17/2024 09:15:07 UTC
Last modified on: 08/19/2024 20:05:15 UTC