A recent vulnerability has been discovered and resolved in the Linux kernel's drm/xe/client module. The vulnerability, assigned as CVE-2024-46866, arises from missing buffer object (bo) locks in the show_meminfo() function. The absence of bo locking could lead to issues like Null Pointer Dereference (NPD) and Use After Free (UAF). This article will demonstrate how to patch the vulnerability, provide code snippets, and reference the original patch by cherry-picked commit.

The Exploit

The show_meminfo() function inspects the buffer object's state like tt (translation table) and the ttm (translation table manager) resource but fails to hold the bo lock when doing so. In turn, this could lead to NPD and UAF. To address this issue, the patch adds missing bo locks in the function, ensuring that any spinlocks are dropped beforehand. Additionally, the patch adds a necessary reference to the object_idr.

The Code Snippet

 diff --git a/drivers/gpu/drm/xe/xe_client.c b/drivers/gpu/drm/xe/xe_client.c
index d7453a..3c707e5 100644
--- a/drivers/gpu/drm/xe/xe_client.c
+++ b/drivers/gpu/drm/xe/xe_client.c
@@ -301,9 +301,12 @@ static void show_meminfo(struct seq_file *m, struct drm_device *dev)
{
    struct xe_driver *driver = dev->driver;
    struct xe_bo *bo;
+   unsigned long flags;
 
-   seq_puts(m, "  bo\trefcount\ttt\ttpages\tsize\n");
-   for (bo = idr_get_next(&driver->bo_idr, NULL); bo != NULL;
+   seq_puts(m, "  bo\trefcount\ttt\ttpages\tsize (unlocked)\n");
+
+   spin_lock_irqsave(driver->bo_idr_lock);
+   for (bo = idr_get_next(&driver->bo_idr, &flags); bo != NULL;
            bo = idr_get_next(&driver->bo_idr, &flags)) {
            /* Grab buffer object lock */
            spin_lock(&bo->lock);

Applying the Patch

To apply the patch, you must be running a Linux kernel that contains the drm/xe/client module. If you're using the git version control system, you can apply the patch with the following command:

$ git am <path-to-patch-file>

Substitute <path-to-patch-file> with the location of the patch file on your Linux system.

Conclusion

By adding the missing bo locks and necessary references in the show_meminfo() function within the drm/xe/client module, this patch addresses the CVE-2024-46866 vulnerability in the Linux kernel. Be sure to update your Linux kernel to the latest version to avoid any potential security risks like NPD and UAF.

Original References

- Official Commit Direct Link
- Diff of changes applied for patching
- Linux Git Source tree

Timeline

Published on: 09/27/2024 13:15:17 UTC
Last modified on: 10/01/2024 17:09:30 UTC