CVE-2024-53078: Important Security Fix in Linux Kernel's drm/tegra: Probe() Function

A recent vulnerability discovered in the Linux kernel has drawn the attention of developers and security enthusiasts. The vulnerability, CVE-2024-53078, affects the drm/tegra subsystem, which is an open-source driver for NVIDIA Tegra GPUs. More specifically, the problem lies in the probe() function and unintentionally causes the return of error pointers rather than NULL pointers. In this post, we will walk through the details of this vulnerability, provide code snippets, and discuss the necessary steps to address the issue.

Vulnerability Details

The probe() function in the drm/tegra driver is used for the initialization procedure when a new Tegra GPU device is added to the system. The vulnerability arises when the iommu_paging_domain_alloc() function, which is a part of the probe() function call, is incorrectly handing error pointers instead of NULL pointers. This occurs because the function checks for NULL pointers instead of error pointers using IS_ERR().

Here's an example of the vulnerable code snippet from the Linux kernel

struct tegra_drm *tegra_drm_alloc(struct device *dev, int num)
{
    struct tegra_drm *tegra;
    int err;

    tegra = kzalloc(sizeof(*tegra), GFP_KERNEL);
    if(!tegra)
        return NULL;

    /* Allocate IOMMU domain */
    tegra->domain = iommu_paging_domain_alloc(dev);
    if (!tegra->domain) {
        dev_err(dev, "Failed to allocate IOMMU domain\n");
        err = -ENODEV;
        goto free;
    }

    ...
}

static int tegra_drm_probe(struct platform_device *pdev)
{
    ...
    tegra = tegra_drm_alloc(dev, num_wins);
    if (!tegra)
        return -ENOMEM;

    ...
}

In the above code snippet, we can identify the incorrect check in the tegra_drm_probe() function

if (!tegra->domain) {
    dev_err(dev, "Failed to allocate IOMMU domain\n");
    err = -ENODEV;
    goto free;
}

This check should be using IS_ERR() to verify if an error pointer was returned instead of a NULL pointer.

Patch

The issue has been addressed in the latest Linux kernel patches. The following code snippet shows the patch applied to fix the issue:

/* Updated check in the tegra_drm_alloc() function */
if (IS_ERR(tegra->domain)) {
    dev_err(dev, "Failed to allocate IOMMU domain\n");
    err = PTR_ERR(tegra->domain);
    goto free;
}

Exploit Details

While there are no known exploits at the moment for this vulnerability, it is crucial to apply the patch to prevent potential security issues or crashes due to the improper handling of error pointers.

References

For more details on the patch and its application, please refer to the official Linux kernel mailing list announcement:
- drm/tegra: Fix NULL vs IS_ERR() check in probe commit

Conclusion

To summarise, the CVE-2024-53078 vulnerability in the Linux kernel's drm/tegra subsystem has been addressed with a patch replacing the incorrect NULL pointer check with the appropriate IS_ERR() check. It is essential to update your Linux kernel to a patched version in order to ensure a secure and stable system.

Timeline

Published on: 11/19/2024 18:15:27 UTC
Last modified on: 11/25/2024 13:31:57 UTC