// For flags

CVE-2023-52486

drm: Don't unref the same fb many times by mistake due to deadlock handling

Severity Score

4.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

drm: Don't unref the same fb many times by mistake due to deadlock handling

If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()
we proceed to unref the fb and then retry the whole thing from the top.
But we forget to reset the fb pointer back to NULL, and so if we then
get another error during the retry, before the fb lookup, we proceed
the unref the same fb again without having gotten another reference.
The end result is that the fb will (eventually) end up being freed
while it's still in use.

Reset fb to NULL once we've unreffed it to avoid doing it again
until we've done another fb lookup.

This turned out to be pretty easy to hit on a DG2 when doing async
flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I
saw that drm_closefb() simply got stuck in a busy loop while walking
the framebuffer list. Fortunately I was able to convince it to oops
instead, and from there it was easier to track down the culprit.

En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm: No desreferenciar el mismo fb muchas veces por error debido al manejo de interbloqueos Si obtenemos un punto muerto después de la búsqueda de fb en drm_mode_page_flip_ioctl() procedemos a desreferenciar el fb y luego Vuelva a intentarlo todo desde arriba. Pero nos olvidamos de restablecer el puntero fb a NULL, por lo que si obtenemos otro error durante el reintento, antes de la búsqueda de fb, procedemos a desref el mismo fb nuevamente sin haber obtenido otra referencia. El resultado final es que el Facebook (eventualmente) terminará siendo liberado mientras todavía está en uso. Restablezca fb a NULL una vez que lo hayamos eliminado para evitar hacerlo nuevamente hasta que hayamos realizado otra búsqueda de fb. Esto resultó ser bastante fácil de lograr en un DG2 cuando se realizan volteos asíncronos (y CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). El primer síntoma que vi fue que drm_closefb() simplemente se quedó atascado en un bucle ocupado mientras recorría la lista de framebuffer. Afortunadamente, pude convencerlo de que lo hiciera, y a partir de ahí fue más fácil localizar al culpable.

A flaw was found in the Linux kernel. A frame buffer can be freed while still in use in a specific situation in drivers/gpu/drm/drm_plane.c. This issue may compromise the availability.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-20 CVE Reserved
  • 2024-02-29 CVE Published
  • 2024-03-01 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-833: Deadlock
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 4.19.307
Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.307"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 5.4.269
Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.269"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 5.10.210
Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.210"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 5.15.149
Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.149"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.1.76
Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.76"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.6.15
Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.15"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.7.3
Search vendor "Linux" for product "Linux Kernel" and version " < 6.7.3"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.8
Search vendor "Linux" for product "Linux Kernel" and version " < 6.8"
en
Affected