CVE-2023-52486

drm: Don't unref the same fb many times by mistake due to deadlock handling

Severity Score

4.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

drm: Don't unref the same fb many times by mistake due to deadlock handling

If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()
we proceed to unref the fb and then retry the whole thing from the top.
But we forget to reset the fb pointer back to NULL, and so if we then
get another error during the retry, before the fb lookup, we proceed
the unref the same fb again without having gotten another reference.
The end result is that the fb will (eventually) end up being freed
while it's still in use.

Reset fb to NULL once we've unreffed it to avoid doing it again
until we've done another fb lookup.

This turned out to be pretty easy to hit on a DG2 when doing async
flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I
saw that drm_closefb() simply got stuck in a busy loop while walking
the framebuffer list. Fortunately I was able to convince it to oops
instead, and from there it was easier to track down the culprit.

En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm: No desreferenciar el mismo fb muchas veces por error debido al manejo de interbloqueos Si obtenemos un punto muerto después de la búsqueda de fb en drm_mode_page_flip_ioctl() procedemos a desreferenciar el fb y luego Vuelva a intentarlo todo desde arriba. Pero nos olvidamos de restablecer el puntero fb a NULL, por lo que si obtenemos otro error durante el reintento, antes de la búsqueda de fb, procedemos a desref el mismo fb nuevamente sin haber obtenido otra referencia. El resultado final es que el Facebook (eventualmente) terminará siendo liberado mientras todavía está en uso. Restablezca fb a NULL una vez que lo hayamos eliminado para evitar hacerlo nuevamente hasta que hayamos realizado otra búsqueda de fb. Esto resultó ser bastante fácil de lograr en un DG2 cuando se realizan volteos asíncronos (y CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). El primer síntoma que vi fue que drm_closefb() simplemente se quedó atascado en un bucle ocupado mientras recorría la lista de framebuffer. Afortunadamente, pude convencerlo de que lo hiciera, y a partir de ahí fue más fácil localizar al culpable.

A flaw was found in the Linux kernel. A frame buffer can be freed while still in use in a specific situation in drivers/gpu/drm/drm_plane.c. This issue may compromise the availability.

*Credits: N/A

CVSS Scores

Red Hatv3.1 4.4

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-29 CVE Published
2024-03-01 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-833: Deadlock

CAPEC

References (12)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/376e21a9e4c2c63ee5d8d3aa74be5082c3882229	2024-02-23
https://git.kernel.org/stable/c/9dd334a8245011ace45e53298175c7b659edb3e7	2024-02-23
https://git.kernel.org/stable/c/f55261469be87c55df13db76dc945f6bcd825105	2024-02-23
https://git.kernel.org/stable/c/b4af63da9d94986c529d74499fdfe44289acd551	2024-02-23
https://git.kernel.org/stable/c/62f2e79cf9f4f47cc9dea9cebdf58d9f7b5695e0	2024-02-01
https://git.kernel.org/stable/c/d7afdf360f4ac142832b098b4de974e867cc063c	2024-02-01
https://git.kernel.org/stable/c/bfd0feb1b109cb63b87fdcd00122603787c75a1a	2024-02-01
https://git.kernel.org/stable/c/cb4daf271302d71a6b9a7c01bd0b6d76febd8f0c	2023-12-23

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52486	2024-09-03
https://bugzilla.redhat.com/show_bug.cgi?id=2269070	2024-09-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.19.307 Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.307"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.269 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.269"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.210"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.76 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.76"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.15 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.7.3 Search vendor "Linux" for product "Linux Kernel" and version " < 6.7.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.8 Search vendor "Linux" for product "Linux Kernel" and version " < 6.8"		en		Affected