CVE-2023-52486
drm: Don't unref the same fb many times by mistake due to deadlock handling
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
drm: Don't unref the same fb many times by mistake due to deadlock handling
If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()
we proceed to unref the fb and then retry the whole thing from the top.
But we forget to reset the fb pointer back to NULL, and so if we then
get another error during the retry, before the fb lookup, we proceed
the unref the same fb again without having gotten another reference.
The end result is that the fb will (eventually) end up being freed
while it's still in use.
Reset fb to NULL once we've unreffed it to avoid doing it again
until we've done another fb lookup.
This turned out to be pretty easy to hit on a DG2 when doing async
flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I
saw that drm_closefb() simply got stuck in a busy loop while walking
the framebuffer list. Fortunately I was able to convince it to oops
instead, and from there it was easier to track down the culprit.
En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm: No desreferenciar el mismo fb muchas veces por error debido al manejo de interbloqueos Si obtenemos un punto muerto después de la búsqueda de fb en drm_mode_page_flip_ioctl() procedemos a desreferenciar el fb y luego Vuelva a intentarlo todo desde arriba. Pero nos olvidamos de restablecer el puntero fb a NULL, por lo que si obtenemos otro error durante el reintento, antes de la búsqueda de fb, procedemos a desref el mismo fb nuevamente sin haber obtenido otra referencia. El resultado final es que el Facebook (eventualmente) terminará siendo liberado mientras todavía está en uso. Restablezca fb a NULL una vez que lo hayamos eliminado para evitar hacerlo nuevamente hasta que hayamos realizado otra búsqueda de fb. Esto resultó ser bastante fácil de lograr en un DG2 cuando se realizan volteos asíncronos (y CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). El primer síntoma que vi fue que drm_closefb() simplemente se quedó atascado en un bucle ocupado mientras recorría la lista de framebuffer. Afortunadamente, pude convencerlo de que lo hiciera, y a partir de ahí fue más fácil localizar al culpable.
A flaw was found in the Linux kernel. A frame buffer can be freed while still in use in a specific situation in drivers/gpu/drm/drm_plane.c. This issue may compromise the availability.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-20 CVE Reserved
- 2024-02-29 CVE Published
- 2024-03-01 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-833: Deadlock
CAPEC
References (12)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html | ||
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-52486 | 2024-09-03 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2269070 | 2024-09-03 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 4.19.307 Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.307" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.4.269 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.269" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.210" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.149" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 6.1.76 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.76" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 6.6.15 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.15" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 6.7.3 Search vendor "Linux" for product "Linux Kernel" and version " < 6.7.3" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " < 6.8" | en |
Affected
|