CVE-2024-0671

Vulnerabilidad de Use After Free en Arm Ltd Midgard GPU Kernel Driver, Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver permite a un usuario local sin privilegios realizar operaciones de procesamiento de memoria GPU inadecuadas para obtener acceso a la memoria ya liberada. Este problema afecta al controlador del kernel de GPU Midgard: desde r19p0 hasta r32p0; Controlador del kernel de GPU Bifrost: desde r7p0 hasta r48p0; Controlador del kernel de GPU Valhall: desde r19p0 hasta r48p0; Controlador del kernel de arquitectura de GPU Arm de quinta generación: desde r41p0 hasta r48p0.

In mmu_insert_pages_no_flush(), when a HUGE_HEAD page is mapped to a 2M aligned GPU address, this is done by creating an Address Translation Entry (ATE) at MIDGARD_MMU_LEVEL(2) (in other words, an ATE covering 2M of memory is created). This is wrong because it assumes that at least 2M of memory should be mapped. mmu_insert_pages_no_flush() can be called in cases where less than that should be mapped, for example when creating a short alias of a big native allocation. Later, when kbase_mmu_teardown_pgd_pages() tries to tear down this region, it will detect that unmapping a subsection of a 2M ATE is not possible and write a log message complaining about this, but then proceed as if everything was fine while leaving the ATE intact. This means the higher-level code will proceed to free the referenced physical memory while the ATE still points to it.